UCLA Health says it was a victim of a criminal cyberattack that affected as many as 4.5 million people.
UCLA Health, in a statement Friday, said attackers accessed parts of the computer network that contain personal and medical information, but there is no evidence they "actually accessed or acquired any individual's personal or medical information." The statement said UCLA Health is working with the FBI and has hired private computer forensic experts to help in the investigation.
"We take this attack on our systems extremely seriously," Dr. James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System, said in the statement. "Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care."
Here's more from the statement:
"UCLA Health detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."
The Los Angeles Times reports the information the hackers accessed was not encrypted. The newspaper adds:
"The failure to take that additional precaution has generated criticism in other high-profile cyberattacks. In February, health insurance giant Anthem Inc. said it had suffered a massive data breach exposing the personal information of about 80 million people."