- HIPAA Update - http://blogs.hcpro.com/hipaa -

UCLA Health System hacked, 4.5 million people affected

Cyber criminals hacked into part of a computer network at UCLA Health System in California, compromising records of at least 4.5 million people, the university hospital system reported on Friday [1].

There is no evidence yet the hackers obtained access to or acquired individuals’ PHI, although the compromised areas of the network do contain names, addresses, birthdates, Social Security numbers, medical record numbers, Medicare or health plan numbers, and other medical information, according to a statement from UCLA Health.

The health system is working with the FBI and has also hired private computer forensic experts to secure information on network servers.

UCLA Health first detected suspicious activity on its network in October 2014 and began an investigation with the FBI, but it didn’t appear the attackers had gained access to personal or medication information at that time, according to Friday’s statement.

It wasn’t until May 5 that investigators determined the hackers did access parts of the network containing PHI, said UCLA Health, adding that evidence suggests the hackers may have been active as early as September 2014.

As the investigation continues, the health system is still in the process of notifying possible victims and is offering all 4.5 million people one year of free identity theft and restoration services as well as other healthcare identity protection tools. Additionally, one year of free credit monitoring will be offered to people whose Social Security number or Medicare number was potentially compromised.

“UCLA Health identifies and blocks millions of known hacker attempts each year. In response to this attack, however, we have engaged the services of leading cyber-surveillance and security firms, which are actively monitoring and protecting our network,” read Friday’s statement. “We have also expanded our internal security team. These are just a few of the important measures we are taking to help protect against another cyber attack.”

In addition to sending letters to potential victims, the health system has also established a website at www.myidcare.com/uclaprotection [2] with more details on how to access fraud detection and prevention services.