In a statement on Friday, UCLA Health said that attackers accessed parts of its network where personal and medical records are stored. However, unlike previous medical breaches this year, they have no actual evidence that the attacker actually accessed any of the data.
"UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information," the statement says in part.
"UCLA Health detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information.
"As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."
Again, there is no evidence that the attacker accessed or acquired personal or medical records, but because UCLA Health cannot conclusively rule out the possibility that such a breach happened, they're contacting the affected individuals and offering them one year of credit monitoring.
The incident will impact 4.2 million people. It's been reported that the data potentially accessed by the attackers was not encrypted.
According to the Department of Health and Human Services (HHS), more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the US population.
"Healthcare information security is in critical condition. We have seen report after report of millions upon millions of records breached this year," said Clinton Karr, senior security strategist at Bromium.
"These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation."