Skip to content Skip to navigation

The UCLA Health System Data Breach: How Bad Could It Be…?

July 18, 2015
| Reprints
Could news of this massive data breach lead to broader encryption of core PHI within EHRs?

Just hours ago, a Los Angeles Times report broke the news that hackers had broken into the UCLA Health System, creating a data breach that may affect 4.5 million people. This may turn out to be one of the biggest breaches of its kind in a single patient care organization to date, in the U.S. healthcare system. And it follows by only a few months the enormous data breach at Anthem, one of the nation’s largest commercial health insurers, a breach that has potentially compromised the data of 4.5 million Americans.

The L.A. Times report, by Chad Terhune, noted that “The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the investigation continues. And it quoted Dr. James Atkinson, interim president of the UCLA Hospital System, as saying “We take this attack on our systems extremely seriously. For patients that entrust us with their care, their privacy is our highest priority we deeply regret this has happened.”

But Terhune also was able to report a truly damning  fact. He writes, “The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.” And he quotes Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, as saying, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.”

What’s startling is that the breach at the Indianapolis-based Anthem, revealed on Feb. 5, and which compromised the data of up to 80 million health plan members, shared two very important characteristics with the UCLA Health breach, so far as we know at this moment, hours after the UCLA breach. Both were created by hackers; and both involved unencrypted data. That’s right—according to the L.A. Times report, UCLA Health’s data was also unencrypted.

Unencrypted? Yes, really. And the reality is that, even though the majority of patient care organizations do not yet encrypt their core, identifiable, protected health information (PHI) within their electronic health records (EHRs) when not being clinically exchanged, this breach speaks to a transition that patient care organizations should consider making soon. That is particularly so in light of the Anthem case. Indeed, as I noted in a Feb. 9 blog on the subject, “[A]s presented in one of the class action lawsuits just recently filed against it,” the language of that suit “contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.”

As I further stated in that blog, “I think one of the key causes in the above complaint [lawsuits were filed against Anthem within a few days of the breach] is this one: ‘the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.’ In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.”

Now, I am not a torts or personal injury lawyer, and I don’t even play one on TV. But I can see where, soon, the failure to encrypt core PHI within EHRs may soon become a legal liability.

Per that, just consider a March 20 op-ed column in The Washington Post by Andrea Peterson, with the quite-compelling headline, “2015 is already the year of the health-care hack—and it’s going to get worse.” In it, Peterson,  who, according to her authoring information at the close of the column, “covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government,” notes that “Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.” Indeed, she notes, “Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.” Well, at this point, that figure would now be about 124.5 million, if the UCLA Health breach turns out to be as bad as one imagines it might be.




Baseball legend Yogi Berra sums it very well: “It's like deja-vu, all over again.”

A hack of UCLA Health's four-hospital system computer network may have compromised personal and medical information for as many as 4.5 million individuals. The hack was determined in May, but suspicious network activity has been under FBI investigation since October 2014.

The health system said Friday they have taken "significant steps" to protect data and strengthen their network; they are also offering all those impacted by the breach 12 months of identity theft recovery and restoration services on top of other healthcare ID protection tools.

This is like “closing the door after the fox has left with most of the chickens.”

CVS, the nation’s second largest drug store chain, also announced last week that their network may have been comprised by hackers. I find it troubling that they can’t be sure! These latest massive cyberattacks clearly demonstrates two things: we need to immediately encrypt all stored PHI and we need to improve the security measures that protect access to that data.

Even though the speed of data processing speed sometimes suffers as a result of encryption, the justifications for not encrypting data are quickly going away. Safe and secure are better than fast.

Secondly, we must take the human element out of PHI data access. Bio-access security systems must be employed that will thwart unsuspecting healthcare workers from falling prey to sophisticated “phishing expeditions” by professional hackers.

Healthcare organizations are traditionally slow in their decision-making processes. This is one decision that must be put on the fast track!