Marking another high-profile data breach, hackers broke into UCLA Health System’s computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said.
This cyberattack at UCLA comes on the heels of a major breach of federal employee records and a massive hack at health insurance giant Anthem Inc. affecting 80 million Americans this year.
The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.
The revelation that UCLA hadn’t taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.
“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas.
UCLA said Friday that it’s working with the FBI and had hired computer forensic experts to further secure its network.
The university said there was no evidence yet that patient data were taken, but it can’t rule out that possibility while the investigation continues.
“We take this attack on our systems extremely seriously,” said Dr. James Atkinson, interim president of the UCLA Hospital System. “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.”
Atkinson said the hospital detected unusual activity on one of its computer servers in October and began investigating with help from the FBI.
It wasn’t until May 5, according to UCLA, that investigators determined that the hackers had gained access to parts of UCLA Health’s computer network where some patient information was stored.
Those parts of the network contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.
The unauthorized access could have begun in September 2014, UCLA said, and some of the patient information dates to 1990.
Atkinson said it doesn’t appear that credit card and other financial information was involved.
“They are a highly sophisticated group [of hackers] likely to be offshore,” he said. “We really don’t know. It’s an ongoing investigation.”
An FBI spokeswoman said the agency “is looking into the nature and scope of the matter, as well as the person or group responsible” for the UCLA breach.
UCLA said that prior to the attack on its system it had been taking steps and spending tens of millions of dollars to strengthen its computer security. It added that it has successfully thwarted hacker attacks in the past.
But some security experts were unimpressed. They questioned the lack of encryption at UCLA in light of other breaches across the country. Anthem faced similar criticism over its failure to encrypt the information that was exposed to hackers during its cyberattack.
“Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted,” said Igor Baikalov, chief scientist at Securonix, a data security firm in Los Angeles. “If our premium universities don’t learn from experience, what can we expect from other, less-learned organizations?”
Mark Savage, a health information technology expert at the National Partnership for Women & Families, a nonprofit advocacy group in Washington, said it’s too early to assess UCLA’s digital defenses until more details are known about what the hackers did and what protections were in place.
The UC system vowed Friday to learn from the UCLA incident and fortify its defenses across all of its universities and hospitals.
In a statement, the university system said President Janet Napolitano has established an external cybersecurity group that will examine the “security posture across the UC system” and “assess emerging threats and potential vulnerabilities.”
Atkinson said the UCLA breach illustrates one potential drawback to the nation’s push to ditch paper records and digitize patient information in giant databases.
“We live in a digital age which brings tremendous benefits,” he said. “But electronic health records come with the risk of this.”
UCLA said it’s sending letters to affected patients, which include many of its own staff and faculty.
The university is offering a year of identity-theft protection as well as a year of credit monitoring to people who had their Social Security or Medicare ID numbers stored on the compromised network.
For more information, people can contact UCLA at (877) 534-5972 or check the website www.myidcare .com/uclaprotection.
Federal health officials investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.
The UCLA Health System found itself at the center of a scandal in 2008 involving workers who snooped into the medical records of Britney Spears, Farrah Fawcett and Maria Shriver, among others. One former employee was convicted of selling celebrity medical information to the National Enquirer. UCLA agreed to pay $865,500 as part of a settlement with federal regulators.
Times staff writers Abby Sewell and Joel Rubin contributed to this report.