Hackers may have gained access to patient information at the UCLA Health System, the Californian university’s hospital announced on Friday. The data breach could affect as many as 4.5 million people.
The hospital’s administration is not yet certain what, if any, information has been stolen, according to a page devoted to the incident on its website. “Unfortunately, UCLA Health was a victim of a cyber attack that may have put some personal information at risk,” the hospital wrote. “To date, there is no evidence that the cyber attackers actually accessed or acquired any individual’s personal or medical information, but we cannot conclusively rule out that possibility.”
The statement lists a variety of data that may have been lost, including names, addresses, Social Security numbers, medical records and ID numbers, among other types. The patient information was not encrypted, the Los Angeles Times reported.
“They are a highly sophisticated group (of hackers) likely to be offshore,” hospital President James Atkinson told the LA Times. “We really don’t know. It’s an ongoing investigation.”
Recently, major health insurers such as Anthem and Premera Blue Cross, have been hacked, putting tens of millions of medical records at risk. Many security firms have cited cyberespionage as a possible motivation for the attacks.
“[N]o institution in today’s environment of constant cyberthreats and attacks is immune from this risk,” said the University of California president’s office in a statement. “We also realize that, at UCLA and throughout the UC System, we need to learn from this event and further strengthen our defenses.”
UCLA Health said it spotted suspicious activity on a computer server in October, and on May 5 had confirmed that its network had been breached. The hospital has begun the process of notifying those who may be affected. It is offering a year of identity theft recovery services to affected individuals as well as a year of free credit monitoring for those whose social security number or Medicare ID number has been compromised.
The hospital is currently investigating the attack with the help of the Federal Bureau of Investigation and an unnamed forensics firm. It has also set up a cybersecurity review team headed by Janet Napolitano, the UC president and former Secretary of Homeland Security under President Obama, to boost digital defenses across the university system’s computer networks.
This is not UCLA Health’s first run-in with a data security issue, LA Times points out. In 2008, the hospital got into hot water when employees accessed and sold the information contained in medical records of celebrities such as Britney Spears and Farrah Fawcett.
