UCLA Health Discloses Big Breach

The UCLA Health system announced late last week that it was the victim of a cyberattack, potentially exposing sensitive data of millions of patients.

UCLA announced the breach on July 17, although officials had been aware of suspicious activity within its network as early as October 2014, when it began an investigation in tandem with the FBI.

“We take this attack on our systems extremely seriously,” said James Atkinson, M.D., interim associate vice chancellor and president of the UCLA Hospital System.

The breach affected approximately 4.5 million former and current UCLA Health patients. Data that might have been compromised included names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare/health plan identification, and potentially some medical information. However, UCLA Health could not verify whether such information had actually been breached.

The UCLA Health system apparently was not encrypted, the Los Angeles Times reported,  which would have made a cyberattack much more difficult. However, healthcare security experts say that levels of protection vary from provider, and many do not encrypt their data unless it has been compromised.

According to data from the U.S. Department of health and Human Services, more than 1,100 breaches involving more than 120 million patients have been reported since 2009.

UCLA Health said it was notifying those patients who may have been affected, and is providing identity theft protection services free for one year.

UCLA Health is being sued over the matter, with a potential class-action suit filed in federal court in Los Angeles on July 20.

 that could be certified as a class-action case. The plaintiff, patient Michael Allen, sued both the health system and the University of California Board of Regents, claiming they were negligent and did not notify patients of the the breach in a timely manner.