The hospital announced the data breach on its website, stating that the compromised information could include “name, address, date of birth, social security number, medical record number, Medicare or health plan ID number, and some medical information (e.g., medical condition, medications, procedures, and test results).” An investigation is ongoing, but UCLA Health says it is not yet clear whether or not the patient information was viewed or copied.
The hospital’s network may have been accessed in September and the hospital became aware of the intrusion in October. A preliminary investigation concluded in May confirmed the access.
“There is no evidence that the cyber attackers actually accessed or acquired any individual’s personal or medical information, but we cannot conclusively rule out that possibility,” UCLA Health stated.
The hospital president, Dr. James Atkinson, told the LA Times that the hackers are “a highly sophisticated group likely to be offshore.” However, he added, “We really don’t know.”
It’s not the first time UCLA Health has struggled to keep patient data private, but previous breaches have involved UCLA employees rather than outside intruders. Several former employees have been accused of leaking information on high-profile patients to the press. An employee of the hospital sold information about Farrah Fawcett’s cancer treatment to the National Enquirer and the hospital also failed to keep information about Michael Jackson’s death secure, according to ProPublica. In both instances, the hospital was fined for the breaches.
To protect patients from identity theft, UCLA Health is providing identity protection services and credit monitoring to those whose data may have been accessed. For more information on how to enroll in these services, visit the UCLA Health site.
