NEW YORK — Hackers broke into the massive hospital network of the University of California, Los Angeles, accessing computers with sensitive records of 4.5 million people.
Names, medical information, Social Security numbers, Medicare numbers, health plan IDs, birthdays and physical addresses — all were potentially stolen, according to the university.
That could affect anyone who has visited — or works — at the university’s medical network, UCLA Health, which includes four hospitals and 150 offices across Southern California.
UCLA Health made this announcement on Friday — two months after it discovered the extent of the data breach.
Evidence collected by UCLA Health indicates hackers slipped into computers in September 2014. The next month, university network alarms “detected suspicious activity,” and UCLA Health called in the FBI for help.
“At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information,” UCLA Health said in a statement.
That changed on May 5, when UCLA claims it discovered hackers actually accessed computers with sensitive records.
The hospital group is now notifying staff and patients, offering them one year of identity theft recovery services.
CNNMoney asked UCLA Health why it waited so long to make this public. A company representative, Tod Tamberg, said: “The process of addressing the technological issues surrounding this incident and the logistics of identifying and notifying the potentially affected individuals was time-consuming.”
However, UCLA Health stresses it can’t yet be sure that hackers actually accessed — or stole — the records themselves.
The FBI told CNNMoney it’s currently trying to determine “the nature and scope” of the incident.
The UCLA Hospital System’s president, Dr. James Atkinson, apologized to the public in a statement. The hospital group also noted it is under “near-constant attack” by hackers — blocking “millions of known hacker attempts each year.”
UCLA Health said the hack forced it to employ more cybersecurity experts on its internal security team, and to hire an outside cybersecurity firm to guard its network.
Hospitals, health insurance companies, and universities have all become a frequent target for hackers seeking massive databases of personal information. Profile data, Social Security numbers and health records sell on the black market. Illegal data brokers amass large databases of this stolen information, then sell access to identity thieves.
Health care tends to lose larger numbers of records. When insurance giant Anthem was hacked, up to 80 million records were stolen. The Premera health insurance hack hit 11 million people. Hackers also stole data on 4.5 million Community Health System patients.
Universities get slammed as well. Last year, hackers stole 310,000 University of Maryland records. This year, Auburn University exposed its students’ Social Security numbers. North Dakota University, Butler University, and Indiana University have all exposed the private information of hundreds of thousands of students.