UCLA Health hospitals say hackers may have accessed personal information and medical records on 4.5 million patients.
The California medical group admitted today that miscreants infiltrated its computer systems as long ago as September. It is possible the intruders accessed databases holding patient names, addresses, dates of birth, social security numbers, medical records, health plan numbers, details of medical conditions, lists of medications, and medical test results.
UCLA Health said by October its IT staff thought something fishy was going on, and realized that patient data was at risk months later on May 5. We're told that sensitive information on "UCLA Health patients and providers who sought privileges at any UCLA Health hospital" could have been viewed by the crims.
Hospital bosses aren't convinced the attackers were able to copy the information out of the network, and claim it's possible the hackers may not have viewed the medical records. El Reg reckons that's wishful thinking.
"While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information," the group said in a statement.
"UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been involved in the attack, believed to be the work of criminal hackers."
Though the UCLA Health hack will not hit as many people as the Target or OPM intrusions, the nature of the private information potentially exposed could make the cache highly valuable to real scumbags.
"Because they contain a wealth of sensitive information that can't be changed or cancelled like a credit card number (e.g., Social Security numbers, dates of birth), a stolen medical record is an order of magnitude more valuable than a credit card," noted Jeff Hill, a channel manager with security company StealthBits Technologies.
Those whose information was potentially leaked will be notified by mail. The hospital group is offering free identity protection as well as a $1,000,000 fraud insurance policy for each of its 4.5 million patients. ®