Dedicated to providing the latest
HIPAA compliance news

The UCLA Health Data Breaches Continue: Further 1,242 Records Exposed

Share this article on:

The UCLA Health data breaches are continuing: Another security incident has just been announced following the discovery that a faculty member’s laptop was stolen on July 3, 2015.

UCLA Health is now in the process of notifying 1,242 patients that a limited amount of Protected Health Information was stored on the unencrypted – but password protected – laptop computer. The data potentially exposed to criminals includes patient names, medical record numbers and health information relating to treatment plans.

UCLA confirmed in a press release that no Social Security numbers were stored on the laptop; neither health plan IDS, financial or insurance data; the information thieves seek in order to commit identity fraud and other financial crimes.

Since the laptop was password protected the thieves may have been prevented from viewing the data stored on the device. However, passwords can be cracked, and do not offer the same level of security as data encryption so there is a risk that the data could still be viewed and used by the thieves.

The healthcare provider was notified of the laptop theft promptly after it occurred and an investigation was immediately launched to determine the extent of data exposed. UCLA Health was able to determine the contents of the laptop from a back-up that had previously been made of the device. The data analysis was completed on August 14.

At this stage in time, the data stored on the laptop does not appear to have “accessed, disclosed or used” by unauthorized individuals according to UCLA Health. A spokesperson for the company also confirmed that UCLA Health is monitoring the situation, and that there are “Policies and programs in place to identify ‘red flags’ or warnings of possible medical identity theft and inform patients when these are found.”

Three UCLA Health Data Breaches Uncovered in a Matter of Weeks

 

The latest data breach closely followed a major cyberattack in which the records of approximately 4.5 million individuals were exposed – and potentially copied – by cybercriminals. The security breach occurred on May 5, 2015, although evidence suggests that the hackers first gained access to the computer network as early as September 2014.

UCLA Health was alerted to “suspicious activity” on its network in October and began an investigation. That investigation determined that no Protected Health Information had been accessed by the person or persons responsible. However, 8 months later, UCLA Health discovered that hackers had installed a back door in the system which allowed them to return. They did just that in May, and gained access to one of the company’s patient databases.

Since the hackers gained access to health records and Social Security numbers, the risk of identity theft was perceived to be high, and patients were offered credit monitoring and restoration services for a period of 12 months without charge.

There is no mention of credit monitoring services being offered for the latest data breach, although a dedicated helpline number has been set up – 1-888-236-0447 – to help victims find out more about the breach, whether they were affected, and the steps that can be taken to reduce risk of loss, harm or damage.

A third data breach occurred when breach notification letters were mailed to victims of the cyberattack. One patient of UCLA Health, Steve Reasner, reported receiving nine incorrect breach notification letters in the post, none one which were addressed to him. His letter arrived days later after he was informed by the helpline that he had not been affected.

After three data breaches in rapid succession, Mr Reasner may not be the only patient to receive multiple breach notification letters from UCLA Health this year.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On