UCLA Health has notified more than 1,200 patients that they may have had their medical information exposed in yet another data breach.
The possible compromise is due to a faculty member’s laptop being stolen in early July.
In a statement, UCLA health said that no Social Security numbers, credit card numbers or financial data were stored on the laptop, but it did contain medical information and patient records.
Officials said that the delay in notification was because the organization had just finished analyzing the data from the backup of the laptop on Aug. 14 – and that it has taken until now to compile a list of 1,242 individuals who may have had their information stolen. It also said that no interviews on the situation would be given.
UCLA Health said they notified the U.S. Department of Health and Human Services Office of Civil Rights, the California Attorney General and other theft regulators.
UCLA Health does have policies and programs in place to identify “red flags” or warnings of possible medical identity theft and “inform patients when these are found,” it added.
The news comes on the heels of another, much larger breach that was revealed on July 17. In that instance, hackers broke into the network and gained potential access to the medical information of more than 4.5 million patients.
UCLA Health’s history of poor data management—be it insufficient network security safeguards or poor physical security—stretches back a ways. In 2011, it agreed to pay an $865,000 fine for HIPAA privacy/security violations and implement a three-year corrective action plan because of allowing unauthorized employee access to patient records from 2005 to 2008.
And there are other red flags pointing to data management chaos at the institution. The Los Angeles Times published a story about Steve Reasner, a UCLA patient, on Aug. 21. He received no less than nine separate breach notification letters from UCLA—but they were all addressed to other people. When he called to inquire about his own medical data, he was told he wasn't among those affected—only to get a letter two weeks later saying that he actually was.
"All of our doctors are at UCLA. I knew for sure that was an incorrect statement," he told the paper.
Sadly, UCLA is not alone. Other healthcare organizations, like Anthem, have been breached this year too.
“UCLA is the latest is a string of high profile breaches at healthcare companies, which are ripe targets because they collect very sensitive information on patients that can be used to access someone’s financial records or steal a person's identity,” said Eric Chiu, president and co-founder of HyTrust, in an email. “These type of attacks are often extensive in terms of the amount of information bad guys are able to pilfer, because they typically happen from the inside using system administrator or employee credentials. If organizations don’t make security a top priority and think of it as part of doing business, consumers will continue to suffer the consequences.”
Edited by Rory J. Thompson