A hack of UCLA Health's computer network may have compromised personal and medical information for as many as 4.5 million individuals, the health system said Friday. Names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information was put at risk, it said in an announcement.
The four-hospital system determined on May 5 that hackers accessed parts of its network; the investigation into the hack, which included participation from the FBI, began last October, when UCLA Health detected suspicious activity.
James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System, said that the system has already taken "significant steps" to protect data and strengthen its network. UCLA is offering all those impacted by the breach 12 months of identity theft recovery and restoration services on top of other healthcare ID protection tools.
The health system also is working with "leading cybersurveillance and security firms" to monitor its network, and has expanded its internal security team.
"We take this attack on our systems extremely seriously," Atkinson said. "We sincerely regret any impact this incident may have on those we serve."
In an interview with the Los Angeles Times, Atkinson called the hackers "a highly sophisticated group, likely to be offshore."
The attack is the latest in a recent string of high-volume breaches. Health insurers Anthem and Premera Blue Cross discovered data breaches earlier this year, with the former's compromising the personal health information of 80 million customers. A hack of CareFirst announced in May also compromised information for roughly 1.1 million current and former consumers.
Last summer, a breach of Franklin, Tennessee-based Community Health Systems--which operates 206 hospitals in 29 states--also compromised information for about 4.5 million consumers.
Breaches have become so prevalent of late that the Blue Cross Blue Shield Association recently announced an initiative to offer identity protection services to all of its 160 million members preemptively. However, security expert Mac McMillan, chairman and cofounder of healthcare information security firm CynergisTek Inc., isn't sure the "generous" move goes far enough.
"The real problem here is trying to avoid having breaches in the first place," he told FierceHealthPayer. "It's almost as if the presumption is there are going to be breaches, and therefore, they're just going to go ahead and offer the protection ahead of time."