Concern has been expressed over the amount of time that UCLA Health took to inform its patients following a serious data breach between September 2014 and early 2015. The breach compromised a significant amount of personal data including the names, addresses, dates of birth, medical conditions, medications and procedures of up to 4.5 million people. California law requires that all breaches must be notified "in the most expedient time possible", yet patients were not notified until they received a letter dated 17 July 2015, despite UCLA becoming aware of the breach on 5 May 2015. UCLA has since offered 12 months of free credit monitoring and theft recovery services to all affected persons.