The UCLA Health system in Los Angeles was the victim of a cyber attack involving the personal data of 4.5 million people recently, and it is facing two class-action lawsuits from those affected.
Michael Allen, a UCLA Health patient, filed the lawsuit in U.S. District Court for the Central District of California after public reports said that UCLA Health System Auxiliary failed to have proper security measures in place to prevent the data breach. Most notably, it did not encrypt the data, according to reports. Another patient, Miguel Ortiz, filed a similar lawsuit. Both lawsuits make claims of breach of contract and negligence.
The health system reported that it first saw unusual activity in a computer server in October 2014 but only confirmed the attack on May 5. An initial investigation suggested the attacker had access to the UCLA Health’s network since September 2014.
The attack hit parts of UCLA’s network containing protected health information including names, addresses, birth dates, Social Security numbers, medical record numbers, health plan numbers, Medicare numbers, and some medical information.
Security experts were critical that such a large health system would lack sophisticated defenses for its network. The lack of encryption was particularly surprising, says Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, the research arm of the anti-malware company in San Jose, CA. “A big problem with this attack, like the breach of Anthem, was a lack of encryption, and therefore security standards that need to be met,” he says. “While there are currently talks going on to create a nationwide security standard for all organizations that hold onto customer data, it might be a better solution to create a central authority for medical documents.”
That authority could be queried and populated by individual hospitals, insurance companies, and other groups that require customer information, he explains. This information could be sent encrypted and held under a secure lock and key, which would make the breach of an individual organization less severe to the customers.
“Either way, this is a clear sign of the importance of changing our current security standards across the board,” Kujawa says.
- Adam Kujawa, Head of Malware Intelligence, Malwarebytes Labs, San Jose, CA. Telephone: (800) 520-2796.