UCLA Health hit by hack; medical data on 4.5 million people exposed

The LA-based university health system says the data stolen was not encrypted.
Written by Zack Whittaker, Contributor
(Image: UCLA Health)

University of California (UCLA) Health has been hit by a cyberattack that exposed the data of about 4.5 million people in the region.

The organization said Friday that a network containing personal and medical information was accessed by unknown hackers, including names, addresses, Social Security numbers and medical data -- such as condition, medications, procedures, and test results.

However, the organization said there was "no evidence" data was taken, though it "cannot conclusively rule out that possibility."

The health system, which runs four hospitals in the Los Angeles, Calif. area, said it is working with the FBI and a third-party forensics unit to determine the cause of the breach, which happened October last year. The breach was discovered on May 5.

It's not known at this stage who is behind the attack. James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System, told the LA Times that it was "a highly sophisticated group likely to be offshore."

Crucially, UCLA Health confirmed the data was not encrypted, the report said, meaning the data -- if accessed or stolen -- could be used to steal the identities or other personal information of those affected.

Individuals whose information was stored on the affected parts of the network are in the process of being notified.

This is the latest attack in a long list of health systems, hospitals, and insurance companies that have suffered at the hands of hackers in recent months, including Anthem and Premera Blue Cross, which have between them affected tens of millions of Americans.

The attack on Anthem saw about 80 million subscribers' records exposed, discovered in early February, along with data on about 19 million non-subscribers.

China was initially blamed for the attack, which the FBI previously said was looking at a state-sponsored actor. China maintained that it does not attack US companies.

14 privacy tools you should use to stay secure

Editorial standards