UCLA Health System Hacked: 4.5 Million Patient Records Exposed

ucla-healthThe University of California, Los Angeles Health System (UCLA) has reported it has been targeted by hackers who potentially accessed and copied a database containing the Protected Health Information (PHI) of up to 4.5 million patients and hospital staff members.

The UCLA Health network consists of four hospitals: The Ronald Reagan UCLA Medical Center, UCLA Medical Center, Santa Monica, Mattel Children’s Hospital & Resnick Neuropsychiatric Hospital. It also has approximately 150 offices in Southern California. Any person who has previously received medical services from UCLA Health in the past 25 years could potentially be affected. Some of the exposed records dated back to 1990. UCLA employees are also believed to have had their data exposed.

The data compromised in the incident included patient names, dates of birth and home addresses along with Social Security numbers, Medicare numbers, health plan/health insurance identification numbers and health information. No financial data appears to have been exposed to the hackers.

If the data has been copied, it would allow the thieves to make false Medicare claims, file fake tax returns, commit insurance fraud, steal identities and fraudulently obtain credit.


Suspicious Server Activity First Detected in September 2014


According to a statement issued by UCLA Health System, an investigation into the security breach revealed hackers most likely gained access to at least one of the company’s servers in September, 2014, but it took until October for the hackers to trigger the health system’s network alarms.

The “suspicious activity” was reported to the FBI at the time, although UCLA said in a statement “At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information.” On May 5, 2015, UCLA discovered hackers had managed to gain access to computers used to store PHI.

One of the questions patients are likely to want answered is why the security incident was not resolved in October; seven months prior to healthcare data being exposed.


Apology Issued to Staff and Patients


UCLA Hospital System interim president, Dr. James Atkinson, issued an apology to patients and explained the Health System has invested heavily in data security and treats the privacy of patients seriously.

He said, “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.” He went on to explain that UCLA health system is under “near-constant attack,” and the healthcare system’s security defenses repel “millions of known hacker attempts each year.”

The University has invested tens of millions of dollars in IT security recently to secure its computer systems, and up until this point had managed to repel all hacking attempts. It is not clear at this stage how hackers gained access to its systems and managed to bypass its multi-million dollar defenses.

Why Were Breach Notices not Issued for 10 Weeks?


The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to issue breach notification letters to patients within 60 days of the discovery of a data breach that exposes PHI. A notice must also be issued to the media announcing the security incident, and State Attorneys general must also be informed. While HIPAA demands notifications be issued within 60 days, it also stipulates that they should be sent “without unreasonable delay.”

The Department of Health and Human Services’ Office for Civil Rights investigates data breaches for potential HIPAA violations. Previously the agency has concentrated on enforcing HIPAA Privacy and Security Rules; however there appears to have been a shift in focus in recent months, with the OCR more concerned with the breach response and actions taken to prevent future attacks. Any delay in issuing breach notification letters is likely to trigger an investigation. The California attorney general will also be keen to find out why the organization delayed issuing notifications for so long.

Hackers first gained access to the network in September last year, but it was not until May 5, 2015 when the University discovered PHI had potentially been compromised. A statement announcing the breach was released by the hospital yesterday; July 17, 2015, some ten weeks after the hack was discovered.

CNNMoney asked UCLA spokesperson, Tod Tamberg, why breach notification letters were delayed. He responded by saying “The process of addressing the technological issues surrounding this incident and the logistics of identifying and notifying the potentially affected individuals was time-consuming.”

Massive Healthcare Data Breaches Occurring with Alarming Frequency


Huge data breaches used to be rare, but now they are occurring with alarming frequency. The news of this breach comes just a matter of days after the OPM discovered millions of records had been obtained by hackers. Over 25 million confidential records have been exposed in these two incidents alone.

The hacks at Anthem and Premera exposed 78.8 million and 11 million records respectively, but prior to those two incidents the largest healthcare data breach reported was an improper disposal breach at Tricare back in 2009, which exposed 4.9 million records.

However today, million-record+ data breaches are more likely to result from hacking. Last year, Community Health Systems also suffered a hacking data breach that exposed 4.5 million records.

Up until the end of June, 89,439,761 healthcare records had been exposed in 2015 and hackers are responsible for exposing the vast majority of those records.

Hospitals Targeted by Hackers Seeking Protected Health Information


Ken Westin, senior security analyst for cybersecurity company Tripwire, told HIPAAJournal, “Similar to what we saw with retail – when one mega breach led to another, as predicted, we are seeing a similar scenario play out in healthcare.”

“The reason for this is due to the fact that organized criminal syndicates have found ways to monetize data found in patient databases through various forms of fraud, as well as the fact that common vulnerabilities exist across healthcare organizations due to similarities in IT architecture, tools and data structures.”

The retail industry continues to be targeted by cybercriminals; however the healthcare industry offers far greater rewards. Credit card numbers can be sold for a few dollars; but healthcare data and Social Security numbers are far more valuable, fetching up to $60 or more on the black market. A full set of data can sell for as much as $200.


Are Patients At Risk of Suffering Identity Fraud?


The intentions of the cybercrimnals responsible for the latest attack are not known. UCLA Medical Center has discovered no evidence of data being exfiltrated, but as Westin points out, “that does not mean it wasn’t,” he says, “healthcare and other organizations may simply not have the detective controls in place to collect evidence, or the attackers utilized advanced methods of exfiltration to avoid detection.”

Atkinson said that the hackers responsible for the UCLA attack were “A highly sophisticated group, likely to be offshore”, although he did also say “we really don’t know. It’s an ongoing investigation.”

Since the data obtained by the hackers could be used to commit fraud, UCLA Health System will be providing credit monitoring services to individuals whose Social Security or Medicare ID numbers were exposed, along with identity theft protection for all breach victims. The services will be provided for a period of one year without charge.

The FBI investigation is ongoing and UCLA confirmed that it will be taking further steps to improve data security in the wake of the breach.

A Different Approach to Protect Patients and Health Plan Members


This incident shows that even with millions of dollars of investment, security defenses can be breached. As long as there is money to be made, hackers will continue to develop even more elaborate ways to access data.

Earlier this week, health insurer Blue Cross Blue Shield announced it was taking a different approach to protect its members, and would be offering credit and identity protection services to all plan subscribers in an effort to combat the ever increasing risk of identity theft and fraud.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.