UCLA Health in mid-July announced it had suffered a cyberattack—which started in September 2014—that affected up to 4.5 million individuals. But the organization appears to have other significant security issues and isn’t being particularly forthcoming.

On Sept. 1, the organization issued a notice to media of a new breach and that it was notifying 1,242 individuals after an unencrypted laptop was stolen. The notice included: “Note to editors: No spokespersons are available for interviews.”

The laptop was reported stolen on July 3. Protected health information on the device included patient names, medical record numbers and health information to prepare treatment plans. Social Security numbers, health plan ID numbers, credit card numbers and other financial information were not on the laptop.

Also SeeUCLA Hacked, May Affect 4.5 Million

“At this time, there is no evidence that any individual’s personal or medical information stored on the laptop has been accessed, disclosed or used,” said the notice. “UCLA Health does have policies and programs in place to identify ‘red flags’ or warnings of possible medical identity theft and inform patients when these are found.”

The notice makes no mention of offering protective services, but the most sensitive information was not on the laptop.

However, there may have been another breach between announcement of the cyberattack and the theft of the laptop. The Los Angeles Times on August 21 published a story about Steve Reasner, a UCLA patient, who received nine different notification letters addressed to other people after the hacking. He called UCLA Health to inquire about his medical information and was told he was not affected by the hack. Two weeks later, Reasner received a letter of notification that his protected health information had been compromised in the hack.

UCLA Health already is one of about two dozen organizations that have settled allegations of serious HIPAA privacy/security violations with the HHS Office for Civil Rights. The organization in 2011 agreed to pay a $865,000 fine and implement a three-year corrective action plan because of unauthorized employee snooping in patient records, including celebrities, from 2005 to 2008.

This article courtesy of Information Management's sister brand, HealthData Management.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access