Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
UCLA

Hack at UCLA Health could involve 4.5M people

Elizabeth Weise
USA TODAY
Ronald Reagan UCLA Medical Center in Los Angeles, one of four hospitals and 150 offices in the UCLA Health network. A cyber attack may have put the information of 4.5 patients at risk, the network said July 17, 2015

SAN FRANCISCO — A cyber attack on the UCLA Health system that may have exposed information about 4.5 million people is another example of the lack of support given to cyber security--and why health care systems especially are at risk, say experts.

During the breach, which was announced Friday, the attackers accessed parts of the computer network that contain personal and medical information, UCLA said in a release.

However, there is "no evidence at this time that the cyber attacker actually accessed or acquired any individual's personal or medical information," said UCLA Health, a medical system that includes four hospitals and over 150 offices in southern California.

That seems unlikely, said Stephen Newman, CTO of Damballa, an Atlanta-based computer security company. "Though UCLA Health says there was no evidence that personal and medical information was taken, time will tell for sure," he said. "Once criminals have unfettered access to a network, they have many ways to remove data."

Health care networks are juicy targets for hackers, said Gavin Reid, vice president of threat intelligence for Lancope, an Alpharetta, Ga.-based company.

"This is another in a long series of recently discovered compromises to medical institutions Carefirst, Anthem, BlueCross and now the UCLA Health. At this point we probably have more breached medical databases than ones that haven't been compromised," he said.

The shift from paper to electronic records over the past ten years has made health care systems especially vulnerable, because security spending hasn't kept pace.

"The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response," Reid said.

"This is yet another example of why we need significant investment in data security," said Gerald Kominski, director of the UCLA Center for Health Policy Research.

"Data security is a national security issue," he said. "We should be investing considerable government resources in protecting data systems in all sectors of our economy from hacking."

UCLA Health doesn't see 4.5 million people a year so "this may involve years and years of data," Kominski said. "Again, I find this year troubling."

The data in a typical health file is enticing to hackers because it's so easily sold in the underground market. But it's also possible that information about celebrities might have been the target, if this was a hacktivist attack, said Jeff Hill, channel manager, STEALTHbits Technologies.

"If you're looking to attract attention to your cause, what better way than to exploit the intersection of our voyeuristic and celebrity-obsessed culture?" Hill said.

UCLA Health said it was working with investigators from the Federal Bureau of Investigation, and has hired private computer forensic experts as well.

The medical network first detected suspicious activity on its computer network in October 2014 and launched an investigation together with the FBI.

At the time, the health network didn't think the attackers had been able to get to parts of its computer system which contain personal information.

However further investigation found that the attackers might have been able to access those parts of its network as early as September 2014.

"We continue to investigate this matter," the network said in a release.

Because it can't "conclusively rule out" the possibility that the hackers were able to access patient information, people whose information was stored on the affected parts of the network are being notified, UCLA Health said.

People who might have been affected will be offered 12 months of identity theft recovery and restoration services as well as additional health-care identity protection tools. Those whose Social Security numbers or Medicare identification numbers were potentially accessed will receive 12 months of credit monitoring.

UCLA Health 's hospitals include Ronald Reagan UCLA Medical Center, UCLA Medical Center-Santa Monica, Mattel Children's Hospital UCLA and Resnick Neuropsychiatric Hospital at UCLA.

Featured Weekly Ad