UCLA Health announced today that it was the victim of a cybersecurity attack. The press report  disseminated by UCLA Health noted there is evidence that computer systems containing sensitive personal data and health data was accessed; however, at this time UCLA Health maintains that no personal or health data itself was accessed or acquired.  It is estimated that 4.5 million individuals may have potentially been involved in the attack.

UCLA Health initially discovered suspicious activity in October 2014 and worked with the Federal Bureau of Investigations (FBI) to investigate. The forensics initially showed no evidence that systems containing personal and health information were affected.  However in May of this year, it was discovered that the hackers had infiltrated computer systems containing sensitive data including:  names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.

At this time, the investigations have shown no evidence that this sensitive data was accessed or acquired; however, because UCLA Health can not conclusively prove that no sensitive data was access or acquired it has decided to notify the potentially affected individuals. UCLA Health is sending notice to the affected individuals and offering one  year of free identity theft recovery and restoration services and a year of free credit monitoring.

This incident highlights the risks that health care entities and business associates storing health information face. Hackers are increasingly focusing their efforts on these type of entities. Companies in this field must ensure that they have proper system monitoring in place to detect attacks and incident response procedures to adequately address potential breach incidents such as the one experienced by UCLA Health.