HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

The UCLA Health Data Breaches Continue: Further 1,242 Records Exposed

The UCLA Health data breaches are continuing: Another security incident has just been announced following the discovery that a faculty member’s laptop was stolen on July 3, 2015.

UCLA Health is now in the process of notifying 1,242 patients that a limited amount of Protected Health Information was stored on the unencrypted – but password protected – laptop computer. The data potentially exposed to criminals includes patient names, medical record numbers and health information relating to treatment plans.

UCLA confirmed in a press release that no Social Security numbers were stored on the laptop; neither health plan IDS, financial or insurance data; the information thieves seek in order to commit identity fraud and other financial crimes.

Since the laptop was password protected the thieves may have been prevented from viewing the data stored on the device. However, passwords can be cracked, and do not offer the same level of security as data encryption so there is a risk that the data could still be viewed and used by the thieves.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The healthcare provider was notified of the laptop theft promptly after it occurred and an investigation was immediately launched to determine the extent of data exposed. UCLA Health was able to determine the contents of the laptop from a back-up that had previously been made of the device. The data analysis was completed on August 14.

At this stage in time, the data stored on the laptop does not appear to have “accessed, disclosed or used” by unauthorized individuals according to UCLA Health. A spokesperson for the company also confirmed that UCLA Health is monitoring the situation, and that there are “Policies and programs in place to identify ‘red flags’ or warnings of possible medical identity theft and inform patients when these are found.”

Three UCLA Health Data Breaches Uncovered in a Matter of Weeks


The latest data breach closely followed a major cyberattack in which the records of approximately 4.5 million individuals were exposed – and potentially copied – by cybercriminals. The security breach occurred on May 5, 2015, although evidence suggests that the hackers first gained access to the computer network as early as September 2014.

UCLA Health was alerted to “suspicious activity” on its network in October and began an investigation. That investigation determined that no Protected Health Information had been accessed by the person or persons responsible. However, 8 months later, UCLA Health discovered that hackers had installed a back door in the system which allowed them to return. They did just that in May, and gained access to one of the company’s patient databases.

Since the hackers gained access to health records and Social Security numbers, the risk of identity theft was perceived to be high, and patients were offered credit monitoring and restoration services for a period of 12 months without charge.

There is no mention of credit monitoring services being offered for the latest data breach, although a dedicated helpline number has been set up – 1-888-236-0447 – to help victims find out more about the breach, whether they were affected, and the steps that can be taken to reduce risk of loss, harm or damage.

A third data breach occurred when breach notification letters were mailed to victims of the cyberattack. One patient of UCLA Health, Steve Reasner, reported receiving nine incorrect breach notification letters in the post, none one which were addressed to him. His letter arrived days later after he was informed by the helpline that he had not been affected.

After three data breaches in rapid succession, Mr Reasner may not be the only patient to receive multiple breach notification letters from UCLA Health this year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.