Health Information Management

UCLA health system hacked, 4.5 million people affected

HIM-HIPAA Insider, July 27, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Cyber criminals hacked into part of a computer network at UCLA Health System in California, compromising records of at least 4.5 million people, the university hospital system reported July 17.

There is no evidence yet the hackers obtained access to or acquired individuals’ PHI, although a statement from UCLA Health said the compromised areas of the network contain the following patient information:

  • Names
  • Addresses
  • Birthdates
  • Social Security numbers
  • Medical record numbers
  • Medicare or health plan numbers

The health system is working with the Federal Bureau of Investigation (FBI) and has also hired private computer forensic experts to secure information on network servers.

UCLA Health first detected suspicious activity on its network in October 2014 and began an investigation with the FBI, but it didn’t appear the attackers had gained access to personal or medication information at that time, according to the official statement.

It wasn’t until May 5 that investigators determined the hackers accessed parts of the network containing PHI, said UCLA Health, adding that evidence suggests the hackers may have been active as early as September 2014.

As the investigation continues, the health system is still in the process of notifying possible victims and is offering all 4.5 million people one year of free identity theft and restoration services as well as other healthcare identity protection tools. Additionally, one year of free credit monitoring will be offered to people whose Social Security number or Medicare number was potentially compromised.

“UCLA Health identifies and blocks millions of known hacker attempts each year. In response to this attack, however, we have engaged the services of leading cyber-surveillance and security firms, which are actively monitoring and protecting our network,” read the July 17 statement. “We have also expanded our internal security team. These are just a few of the important measures we are taking to help protect against another cyber-attack.”

In addition to sending letters to potential victims, the health system has also established a website at with more details on how to access fraud detection and prevention services.

This article appeared on HCPro’s HIPAA Update blog. Stay up to date on all things HIPAA by signing up for e-mail updates from this blog.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular