Online Platform : UCLA Health Network System
Year : July 2015
Affected Patients : 4.5 million
Incident : System hacking and leakage of health data
UCLA Health, stands for University of California, Los Angeles Health, is a medical group comprised of 4 hospitals, claiming that they are providing the best healthcare and medical technology to the people in LA and the world.
Interestingly, according to the UCLA website, they have more than 200 physicians are listed among the Best Doctors in America. Each year, there are more than 100,000 patients are admitted into their hospitals.
But that’s not the point.
Internet Hacking, still
It was reported that in May 2015, hackers had hacked into the UCLA Health network system. There was about 4.5 million patients’ personal data and sensitive information on their health records had been compromised.
It would essentially mean that the 4 hospitals and other medical offices that inter-connected to the network system had been exposed to the internet hackers.
The data that had been accessed and potentially being “hacked” by the cyber-attackers comprised of social security numbers, dates of birth, addresses and medical information such as lab test results, diagnoses, medications and other health data.
So What’s The Issue Here?
Number 1 – Data Profiling.
The health records that were stored electronically would be beneficial in profiling a patient’s medical record, possibly enable related industry player such as pharmaceutical company to advertise and sell their products to such patient.
Further, this sensitive medical information may as well include high degree sensitivity data such as HIV test result, exposed such patient to unprotected and highly unsecured risk in revealing these data publicly which was meant to be own privacy.
Number 2 – No Data Encryption.
UCLA Health confirmed that their electronic medical records / data had not been encrypted, causing the personal data was exposed in a “naked” manner, by such analogy.
“Encryption” essentially means an extra step to secure and transform the data intended to be protected into another form by using a key (password). The intended recipient could “decrypt” the encrypted data back to original form.
Let’s use a patient’s HIV test record as an example.
Record ABC (HIV record) + Key (Encrypted) –> XYZ (secured data).
XYZ couldn’t be recognised even you have such data on hand.
XYZ (secured data) + Key (Decrypted) –> Record ABC (HIV record).
As such, the hackers that accessed and possibly stole the 4.5 million patients’ data were able to read the information easily without any challenges, as in a “naked” manner, because those data weren’t wearing any clothes.
More Interesting Facts – Identity Theft Insurance Coverage
Following the leakage of the personal data, UCLA announced that they were offering a year of identity-theft insurance protection to those affected patients.
An identity-theft insurance policy means that if your identity is stolen (which mean your personal data) and because of such incident, you suffered financial losses such as the hacker log in to bank account and siphoned out the money, the insurance company will cover the victim’s financial losses up to certain insured amount.
However, a loss of personal data would beyond pure monetary loss. Imagine the HIV test result has been made publicly, it is arguable that the damage on the reputation or image is irreparable and such harm cannot be undone.
What’s More Interesting? – The Hospital Could Be Made Liable!
In United States for example, they have a federal law known as the Health Insurance Portability and Accountability Act 1996 made under the administration of Bill Clinton.
Under HIPAA, the hospital would need to adopt certain protective measures in guarding the patients’ electronic medical records failing which they could be made liable for such breach.
In 2008, there was a medical data leakage caused by UCLA’s internal workers who snooped and then sold the medical records of famous artists such as Britney Spears. UCLA paid $865,500 to the federal enforcers.