The University of California, Los Angeles, announced today that their health system had been hacked sometime in the past ten months, potentially compromising the personal data of 4.5 million people.
UCLA Health first noticed the security breach in September 2014, when the system detected "suspicious activity" and the FBI was called in to investigate. At that time, it didn't appear that hackers posed a threat. Then, in May 2015, the healthcare provider realized hackers had accessed their internal system, which contained privileged information like names, addresses, social security numbers, and medical records that may have been stolen.
According to a statement from UCLA Health, "there is no evidence that the attacker actually accessed or acquired individuals' personal or medical information," only that there was the potential for a hacker to do so. If it did happen, the data would likely be distributed and sold on the black market, where medical records are worth ten times as much as credit card information.
James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System, told the Los Angeles TimesLos Angeles Times, "They are a highly sophisticated group [of hackers] likely to be offshore," before adding, "we really don't know."
UCLA Health is offering one year of identity theft recovery services, credit monitoring, and a $1,000,000 insurance reimbursement policy for those whose information has been compromised. Cyber attacks are becoming increasingly common among healthcare providers, since their information is valuable and their cyber security is typically weak. According to CNN, 4.5 million patients' personal data was stolen last year after a security breach at Community Health Systems and an attack in January against Premera, America's largest health insurance company, affected 11 million patients.