CEO Blech on UCLA data breach: Medical data for 4.5 million people exposed
University of California Health was attacked and the medical data of some 4.5 million people was exposed, although officials say there is no proof that the data was actually stolen. The breach was discovered on May 5, but publicly reported last Friday.
“Isn’t it a tad simplistic to assume that hackers got in and took nothing? Wouldn’t it make more sense to assume that if the hackers bothered to hack that they probably took data?” said Richard Blech, CEO of Secure Channels.
“If the hackers are advanced enough — assuming UCLA has improved their security since their last incident – to breach the perimeter, it makes more sense to believe they were capable of hiding their trail, leaving no evidence. Sensitive personal and medical information should always be deeply encrypted, protecting data at its core.”
While not as big an exposure as the Anthem breach wherein 80 million subscribers’ and 19 million non-subscribers’ data was stolen, security experts predict healthcare breaches will be a continued trend no matter the size of the data set to be had.
“Recent reports suggest that up to 65 percent of all healthcare organizations have battled security incidents in the last two years,” said Stewart Draper, director of insider threat at Securonix.
“Cybercriminals and nation state groups have stepped up their focus on targeting the healthcare sector in 2015. As the industry begins to realize the investment in information security needed to help secure patient data it seems highly likely these type of attacks will continue, with medical records providing a much more lucrative target than data such as credit cards that can easily be changed.”
There’s a touch of irony and comeuppance in the UCLA Health hack too.
“It’s ironic that when Anthem suffered a massive data breach earlier this year, it was a director of the UCLA Center for Health Policy Research who admonished [the] health insurer for lax security measures in the LA Times on February 6, 2015,” said Igor Baikalov, chief scientist at Securonix.
“Just like Anthem, UCLA had been hacked before, back in 2006, and then in 2008 had to settle for data privacy violations. Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted. If our premium universities don’t learn from experience, what can we expect from other, less-learned organizations?”
UCLA Health confirmed the data was not encrypted and said they suspect the culprits to be a highly sophisticated offshore group.
So why are medical data thefts on the rise?
“Because they contain a wealth of sensitive information that can’t be changed or cancelled like a credit card number – for example, Social Security Numbers, dates of birth – a stolen medical record is an order of magnitude more valuable than a credit card, so any healthcare provider is a prime target,” said Jeff Hill, channel manager at STEALTHbits Technologies.
Find the original article on Information Security Buzz here.
More articles featuring Secure Channels Inc. CEO Richard Blech at the Secure Channels Inc. website.