Member-supported news for Southern California
Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations
Support for KPCC comes from:

4.5 million people's personal information at risk in UCLA Health data breach

Exterior view of the Ronald Reagan UCLA Medical Center during their Ebola virus readiness drill (closed to the media) to test their ability to diagnose and treat Ebola patients in Los Angeles on October 17, 2014.
Mark Ralston/AFP/Getty Images
Exterior view of the Ronald Reagan UCLA Medical Center on Oct. 17, 2014.

In the latest major cyber attack compromising personal information, UCLA Health announced that data on as many as 4.5 million people may be at risk.

Suspicious activity was first detected by UCLA Health in Oct. 2014, at which time it began investigating with help from the FBI, the organization said in a statement.

"At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information," UCLA Health wrote.

On May 5, UCLA Health says they determined that part of the network that contains personal information and some medical information had been breached, and that hackers may have accessed those parts of the network as early as Sept. 2014.

The organization says that it's continuing to work with the FBI and has also hired private computer forensic experts to more completely secure information on their servers. It's also expanding its own internal security team.

"UC President Janet Napolitano has mobilized an external cybersecurity group that will assess our security posture across the UC system," the school said in a statement. "The team will review and validate ongoing internal efforts and assess emerging threats and potential vulnerabilities. The information from this external review will inform a broader UC-wide cybersecurity plan."

"We take this attack on our systems extremely seriously," the UCLA Hospital System's Dr. James Atkinson said in a statement. "We have taken significant steps to further protect data and strengthen our network against another cyber attack."

UCLA Health says they don't have evidence that personal information or medical records were accessed or acquired, but that it is offering 12 months of identity theft recovery and restoration services, along with other health care identity protection tools. They're also offering 12 months of credit monitoring for anyone whose Social Security or Medicare information was stored on the affected part of their network.

The organization says that large sites like itself are under "near-constant attack" and that they identify and block millions of known hacking attempts every year.

Patients who've been affected will receive letters advising them of the situation, and UCLA Health says it's set up a website allowing them to register for the free identity protection and credit monitoring services at www.myidcare.com/uclaprotection.

California Attorney General Kamala Harris responded by issuing a consumer alert, according to a statement from her office, noting that affected information may include Social Security numbers, health insurance IDs, diagnosis and treatment records and payment information.

"Both SSNs and health insurance IDs create the potential for medical identity theft, which is the use of someone’s identity to obtain medical services or products or for financial gain. Medical identity theft can affect both the victim’s finances and medical records," the attorney general's office said in their statement.

The office advises potential victims to watch their Explanation of Benefits statements for any discrepancies.

All of the information on the data breach being provided by UCLA Health is available at www.uclahealth.org/data2015.

This story has been updated.