The health system will invest $5.5 million in new network security improvements and shell out $2 million for class action claims after the hack exposed the data of 4.5 million patients.

UCLA will pay $7.5 million in claims, cyber enhancements to settle 2015 breach

By Mike Miliard
01:52 PM

When it occurred in July 2015, it was the fourth-biggest healthcare data breach to date – and nearly four years of regular cyberattacks later, it's still in the top five.

Now, to settle with some 4.5 million UCLA Health System patients whose records, most of them unencrypted, were compromised after hackers gained access to the network, UCLU will pay $7.5 million.

WHY IT MATTERS
According to the settlement agreement, in addition to the usual credit monitoring, identity theft protection and insurance (two years' worth), UCLA Heath will create a $2 million fund to help reimburse claimants for any preventive or remedial measures related to identity theft.

To bolster its cyber defenses and, ideally, help prevent any similar data breaches going forward, the health system will also earmark $5.5 million, "beyond currently budgeted spending – plus any money remaining in the claims reimbursement fund – for the purpose of expediting and implementing cybersecurity enhancements to the UCLA Health computer network."

THE LARGER TREND
The breach took place in September 2014 but it wasn't until nearly a year later that patients were told about it. The incident saw sensitive clinical and financial data such as medical diagnoses and diseases, clinical procedures, test results, Social Security numbers, addresses and dates of birth compromised by hackers who'd gained access to the health system's IT network.

The event drew attention not just for its scope and size, but for the fact that, as with many other healthcare breaches then and now, the data was mostly unencrypted.

Four years later, despite a much greater awareness of the potential stakes – UCLA shared the headlines in 2015 with Anthem Blue Cross and Premera Blue Cross, whose own incidents exposed data of 79 million and 11 million customers, respectively, still the two biggest-ever healthcare breaches – some of those frailties remain industry-wide.

A month ago, we showed how hacking and IT incidents are now the number-one cause for data breaches in healthcare. And that, while the total number of such incidents is at a three-year low, the events – still often caused by underprotected IT environments – are larger and affect more consumers.

ON THE RECORD
"Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years," said Rich Campagna, CMO of Bitglass, referring to that report. "However, the growth in hacking and IT incidents does deserve special attention."

With $5.5 million extra now invested in shoring up its own networks, UCLA Health System – which just won a HIMSS Davies award for its clinical IT innovations – is hoping to do just that.

"Protecting patient privacy is essential to UCLA’s mission," said health system officials as part of the settlement, under which it admitted no wrongdoing. "Maintaining data security requires constant vigilance, and UCLA Health applies extensive resources and works with leading experts to enhance preparedness and combat the ongoing threat of cyber attacks."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS Media publication.