Experts chide UCLA for lack of encryption

LOS ANGELES – Hackers broke into UCLA Health System’s computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said.

This cyberattack at UCLA comes on the heels of a major breach of federal employee records and a massive hack at health insurance giant Anthem Inc., affecting 80 million Americans this year.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The revelation that UCLA hadn’t taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cyber-criminals are targeting so many big players in healthcare, retail and government.

“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” Dr. Deborah Peel told the Los Angeles Times. Dr. Peel is founder of Patient Privacy Rights in Austin, Texas.

UCLA said Friday that it’s working with the FBI and had hired computer forensic experts to further secure its network.

The university said there was no evidence yet that patient data were taken, but it can’t rule out that possibility while the investigation continues.

“We take this attack on our systems extremely seriously,” said Dr. James Atkinson (pictured), interim president of the UCLA Hospital System. “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.”

Atkinson said the hospital detected unusual activity on one of its computer servers in October and began investigating with help from the FBI.

It wasn’t until May 5, according to UCLA, that investigators determined that the hackers had gained access to parts of UCLA Health’s computer network where some patient information was stored.

Those parts of the network contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The unauthorized access could have begun in September 2014, UCLA said, and some of the patient information dates to 1990.

Atkinson said it doesn’t appear that credit card and other financial information was involved.

“They are a highly sophisticated group [of hackers] likely to be offshore,” he said. “We really don’t know. It’s an ongoing investigation.”

An FBI spokeswoman said the agency “is looking into the nature and scope of the matter, as well as the person or group responsible” for the UCLA breach.

UCLA said that prior to the attack on its system it had been taking steps and spending tens of millions of dollars to strengthen its computer security. It added that it has successfully thwarted hacker attacks in the past.

But some security experts were unimpressed. They questioned the lack of encryption at UCLA in light of other breaches across the country. Anthem faced similar criticism over its failure to encrypt the information that was exposed to hackers during its cyberattack.