Patient Data Breach at UCLA Hospital System Possibly Impacting 4.5 Million Patients

The LA Times is reporting that UCLA Health System has had a data breach possibly affecting 4.5 million patients. It’s the usual story of a HIPAA breach of this size. They saw some abnormal activity on one of their systems that contained a large amount of patient records. They don’t have any evidence that such data was taken, but hackers are usually really good about not leaving a trail when they take records.

Here’s some comments from UCLA Health as quoted in the LA Times article linked above:

“We take this attack on our systems extremely seriously,” said Dr. James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System.

In an interview, Atkinson said the hospital saw unusual activity in one of its computer servers in October. An investigation confirmed in May that the hackers had gained access to patient information.

“They are a highly sophisticated group likely to be offshore,” he said. “We really don’t know. It’s an ongoing investigation.”

I have yet to see a hospital say they don’t take a breach seriously. I’ve also never seen a hospital say that they were hacked by unsophisticated hackers that exploited their poor security (although, you can be sure that happens in every industry). Of course it had to be a sophisticated attack for them to breach their amazing security, right?

What’s not clear to me is why it took them so long to confirm they’d been hacked. The LA Times article says that they saw the unusual activity in October and it took until May to confirm that “the hackers had gained access to patient information.” Now we’re just getting the public notification in July? All of that seems long, but maybe the attack was just that sophisticated.

What’s scary for me is that these types of breaches have become so common place that I’m not surprised and it’s not shocking. In fact, they’ve almost become standard. Next up will be UCLA Health System setting up some type of credit protection service for their patients assuming there was some financial data there as well. I don’t think we should treat these breaches as normal. They should be a wake up call to everyone in the industry, but I’m sorry to say that it feels more like the norm than the exception.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

6 Comments

  • If your government agencies with unlimited tax-payer resources can’t prevent sophisticated hackers, what is the probability of less funded organizations rebuffing these same attacks? For all we know, those sophisticated hackers could be our own government with the purpose of extracting penalties and fines on unsuspecting healthcare providers.

    Security factoid 101: If you don’t want your data hacked, don’t plug into a network.

  • Here’s a partial letter I wrote to several congressmen and one cybersecurity expert. It involves encrypting the data, not network security. Have not heard back from either. Maybe the EMR community could benefit…

    ———-
    “Some people have stated that “encryption would not have helped” to prevent the OPM hack. This is of course nonsense. The point of good encryption is not that a message can’t eventually be deciphered, but to make the effort so time-consuming and expensive that any such effort is futile.

    “I wrote an local-on-site plain-text-only encryption/decryption routine a few years ago that would have prevented the OPM loss, because EVERY FILE (or database field) is ENCRYPTED DIFFERENTLY in a random multi-encryption scheme that can be decrypted only by this program, and the program, if used, could be protected from outside access.

    “Think about those German U-boats with their four rotors in fixed positions in their Enigma machines, sending and receiving many messages using the same setting, and thus ultimately cracked by the British. Now imagine if there were, say, ten possible rotors positions. For EACH MESSAGE, maybe a random number (3-6) of these rotors would be inserted into Enigma in a random order. I doubt the British would have been able to crack this scheme.

    “I’ve implemented this as a simple test CGI form: http://www.fcta.org/cgi-bin/enigma , posted on the web domain I maintain. Try it yourself! Insert a few paragraphs of your choice and watch it alternately decode and encode. Feel free to pass this link along to various agency cyber-experts to assess if a similar scheme would be effective in securing important agency data.

    “Besides being limited to just text, an obvious caveat is that (eg form SF86), one should never encode the boilerplate form text with the individual answers. Otherwise, a hacker familiar with the raw form could then use this part to decode the answers. (Encoding them separately would be OK.) Nevertheless, the basic concept, I think, might warrant consideration for agencies or corporations.

  • Hi David,
    I can’t remember offhand the details of the OPM hack, but I’ve seen many articles that mention that encryption wouldn’t have helped during a hack. This is true in many cases where the hacker essentially gets the user’s login and so they have the key that gets through the encryption. Not sure if that was the case in the OPM hack, but I’ve seen that happen a number of times.

    To me it goes back to the people using the system being the weakest link in most healthcare security. Although, we shouldn’t use that as an excuse not to encrypt healthcare data. That can prevent a lot of hacks that would happen otherwise.

  • I agree that social hacking was likely the approach to gain user level access and essentially negate the potential encryption barrier. If os, and I would be very interested to hear how the system was attacked, perhaps 2 factor auth should be the norm for all HIT systems today.

  • Dr. Tom,
    I’m seeing more and more 2 factor authentication outside of healthcare. I’m using it a lot more myself in my personal life. Healthcare should definitely take a good look at it. One challenge is that many organizations have implemented a workflow that requires them to log in 50+ times a day. 2 factor authentication would make that quite brutal.

  • The OPM data was not encrypted even once, probably similar to most EMT data. And even if it had been encrypted, it would likely have been the same encryption scheme throughout — ultimate hackable.

    I’m suggesting encoding every record in a random and different way, using multiple levels of encryption — via an independent program that can be positively shielded from use outside the local network. And a record is encrypted differently every time it is edited, without any “quite brutal” effects. (See https://en.wikipedia.org/wiki/Multiple_encryption)

    If Ashley Madison had used my approach, those 37M-record hacker downloads would have been worthless, because the raw data is useless without the tightly-held independent decryption program that Ashley would have maintained to decipher each one.

Click here to post a comment
   

Categories