A UCLA Health System hack has been uncovered in which 4.5 million patient health records have been accessed and potentially stolen. This may not be the biggest healthcare data breach in 2015; the Anthem Hack exposed 78.8 million records and the Primera Blue Cross breach resulted in 11 million records being compromised – but this certainly ranks as one of the most serious healthcare data breaches ever reported.
The data exposed in the UCLA Health System hack was of a highly sensitive nature, more so that the Anthem breach, as Social Security numbers and health data was also accessed. As a result, the victims of this data breach face a high risk of suffering identity theft and fraud.
UCLA Health System Hack Exposes Highly Sensitive Patient PHI
Suspicious server activity had been noticed by UCLA in October last year. At that point the incident was investigated and reported to law enforcement, although no patient health data appeared to have been accessed. That changed on May 5, 2015 when the patient database was infiltrated.
UCLA conducted an investigation into the data breach, and while no evidence has been uncovered to suggest that the data has been copied, or used, by hackers, patients are advised to exercise extreme caution. The data exposed included Social Security numbers, Medicare IDs, health plan provider names and member numbers, as well as health information and a host of personal identifiers.
The data could potentially be used by the hackers to obtain credit in the names of victims, make false Medicare claims, and commit insurance fraud and identity theft.
Patients Now Notified of Data Breach
UCLA has now issued breach notification letters to patients to alert them to the fact their data has been exposed, and to advise them to take precautions to reduce the risk of harm and losses being suffered. The letters took some time to be mailed; approximately 10 weeks after the breach was first identified. A statement issued by UCLA indicates the letters were mailed on July 17, 2015.
Under HIPAA, organizations have up to 60 days to alert patients to a data breach, so there does not appear to have been a violation of the HIPAA Breach Notification Rule. Many patients; however think that breach notification letters should have been issued much more rapidly, especially considering the extent of data exposed in the breach.
The delay in issuing breach notification letters was questioned by CNN reporters. Tod Tamberg, a spokesperson for UCLA, told CNN News, “The process of addressing the technological issues surrounding this incident and the logistics of identifying and notifying the potentially affected individuals was time-consuming.”
UCLA had Implemented Robust Data Security Defenses
The UCLA Health System hack demonstrates that even with robust security defenses, hackers can still gain access to healthcare data. UCLA had recently improved its defenses against hackers, and had invested in multi-million dollar defenses: Tens of millions of dollars had been spent securing networks and patient data.
It is not clear at this stage exactly how the hackers managed to gain access to the patient database; however one of the most successful methods used by hackers is spear phishing, which targets the weakest links in a system: Employees.
Spear phishing campaigns are used to fool users into revealing login credentials, downloading malware or opening infected attachments, which bypass even the most sophisticated of security defenses. Combating this type of attack is difficult, but efforts must be made to train staff on how to recognize phishing campaigns. Malware scans should also be conducted regularly. It may not always be possible to repel attacks, but rapid identification of hacks will minimize the damage they cause.