In July 2011 UCLA Health settled HIPAA violations, paid a fine of $865,000, and “committed to a corrective action plan aimed at remedying gaps in its compliance with the rules,” but they were not prepared for a 2014 cyberattack because of July 17, 2015 UCLA issued a press release where it admitted a new HIPAA violation affecting up to 4.5 million patients “believed to be the work of criminal hackers”:
UCLA Health announced today it was a victim of a criminal cyberattack. While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information.
UCLA Health is working with investigators from the Federal Bureau of Investigation, and has hired private computer forensic experts to further secure information on network servers.
Apparently the cyberattack investigation began in 2014 and as part of the investigation:
…on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.
Time will tell about how bad this cyberattack has been for UCLA and its patients.