UCLA Health Data Unencrypted–and No Policy to Report Lost Laptops

Ronald Reagan UCLA Hospital (King of Hearts / Wikimedia Commons)
King of Hearts / Wikimedia Commons
Newport Beach, CA

It is not surprising that hackers broke into the UCLA’s health system to try to gain access to some of the 4.5 million patients’ records, given the sheer scale of personal health data that has been compromised. But what is shocking is that those records were never protected with a basic encryption, and lost laptops were not required to be reported. Although UCLA said there was no evidence at this time that any patient files were taken, the investigation is ongoing.

A university spokesman said that Ronald Reagan Medical Center first detected unauthorized penetration of its computers in October 2014 and made a referral to the Federal Bureau of Investigation to aid in its investigation. But it took over six months until before investigators determined that hackers had gained access to the patient records section of the hospital’s computer network.

The Department of Health & Human Services’ Office of Civil Rights, the federal agency charged with enforcing the privacy rule of the 1996 Health Information Portability and Accountability Act (HIPA), estimates that personal health data of 30 million Americans has been compromised since 2009. The OCR lists nearly 1,000 data breaches, each involving more than 500 individuals, on a section of its website known as the “Wall of Shame.”

A 2013 Ponemon Institute survey revealed that 94 percent of health care organizations have experienced at least one breach over the last two years,  and nearly half–45 percent–were struck by more than five. The top causes were lost or stolen laptops, employee errors, miscommunications and mistakes by third parties, followed by criminal attacks.

The UCLA Health policy, “UC Policy IS-3, Electronic Information Security,” requires that all portable laptops be encrypted to protect “Electronic Protected Health Information,” referred to as “ePHI.” The ePHI includes all data that may be transmitted over the Internet, or stored on a computer, a CD, a disk, magnetic tape or other media.

The “Personal Information (PI)” refers to an individual’s name, combined with:

(1) Social security number; (2) Driver’s license number or California identification card number: (3) Account number, credit, or debit card number, in combination with any required security access code, or password that would permit access to an individual’s financial account; (4) Medical information; and (5) Health insurance information.

For identity theft hackers and Hollywood’s vicious celebrity paparazzi, this is the motherlode of data that can be used to rob, cheat, steal, blackmail or embarrass individuals.

The UCLA Health System went through a scandal from 2008 to 2010 when it was discovered that celebrity medical records were subject to unauthorized access by a number of hospital employees. UCLA agreed to pay $865,500 as part of a settlement with federal regulators after a former employee was convicted of a felony charge of violating federal medical privacy law for commercial purposes for selling the medical records of Britney Spears, Farrah Fawcett and other high-profile patients to the National Enquirer.

The FBI report said the tabloid had deposited checks totaling at least $4,600 into the account of Lawanda Jackson’s husband’s checking account beginning in 2006. Jackson resigned in 2007 facing an indictment with a maximum 10-year prison sentence and a $250,000 fine. Ms. Jackson died of cancer prior to trial.

Neighboring Cedars-Sinai Medical Center in June of 2013 fired six workers for unauthorized access of the medical records in the days after reality television star Kim Kardashian gave birth to her daughter. It was discovered that three physicians violated hospital policy by giving underlings their hospital log-ons, which were later used to access confidential patient records, according to the hospital.

The lack of encryption of records stored on UCLA Health System’s central mainframe computers is all the more perplexing, given that the hospital requires all laptops to use the highly-respected Pointsec Full Disk Encryption, which provides automatic security for all information on endpoint hard drives, including user data, operating system files and temporary and erased files. Pointsec’s multi-factor pre-boot authentication ensures user identity, while encryption prevents data loss from theft.

But UCLA’s policy regarding what to do if a laptop with “Restricted Information” is lost or stolen, states: “If an encrypted laptop is stolen, notification is not required. This is a major driver for encrypting all UCLA-owned laptops.”

There is speculation that the UCLA breach was due to some type of or state-sponsored or sophisticated criminal hacker group. But lack of encryption and no requirement to report lost or stolen devices containing passwords and access protocols is an open invitation for any amateur to access and “mine” UCLA Health’s data.