More PHI Breached in Another Cyberattack as Year of the Healthcare Hack Continues

Tue, Jul 21, 2015 --

Compliance, EMR/EHR

HIPAA, Health Records, privacy, security

As many as 4.5 million victims of yet another criminal cyberattack of a healthcare system received notice Friday that hackers compromised protected health information and Social Security information in what is tied for the fourth largest HIPAA breach ever reported to the HHS. UCLA Health System in Los Angeles reported on July 17 that hackers accessed a computer network containing personal and medical information in September 2014. The hospital noticed unusual activity in a computer server in October and initiated an investigation with the FBI.

The hackers were able to access demographic data like names, dates of birth, Social Security numbers, Medicare and health plan ID numbers, and some medical information such as diagnoses and procedures, James Atkinson, MD, interim associate vice chancellor and president of the UCLA Hospital System, told the LA Times. “They are a highly sophisticated group likely to be offshore,” Atkinson said of the hackers, adding that the investigation was continuing. He said that UCLA was working with the FBI, as well as private computer forensics experts, to secure the network servers.

Hospital officials said that the hacked patient information was not encrypted. Another massive data breach, February’s Anthem attack affecting 80 million people, occurred when hackers accessed unencrypted personal information in the Anthem systems.

UCLA a Past Victim of Theft of Celebrity Patients’ PHI

UCLA Health System was at the center of a HIPAA scandal in 2008 when workers snooped into the medical records of celebrity patients, including Farrah Fawcett, with one employee selling information to the National Enquirer.

That former hospital administrative specialist, Lawanda Jackson, pleaded guilty to selling the information but died of breast cancer before being sentenced. In 2010, a former medical school researcher at the hospital, Huping Zhou, was sentenced to four months in federal prison and fined $2000 for reading the confidential files of his coworkers, as well as many of the hospital’s celebrity patients.

Information Week reported that UCLA Health System paid $865,500 to the OCR in HIPAA violation fines in for these breaches. At that time UCLA undertook an OCR-directed corrective action plan to bring its systems into compliance with patient privacy rules approved by OCR, focusing on policies and procedures to ensure employee compliance.

2015: Year of the Healthcare Hack

In March, the Washington Post called 2015 the year of the healthcare hack, estimating that the health information of more than 120 million people — numbers equivalent to a third of the U.S. population — had been compromised since 2009 in more than 1100 separate breaches. The Premara and UCLA hacks came later.

Healthcare data is valuable to thieves because unlike a credit card number, social security numbers and medical health information is difficult, if not impossible, to change. Criminals can use the information they steal for medical insurance fraud, like obtaining durable medical equipment for resale or to obtain medical care for another person.

What Constitutes a Breach?

Most breaches reported to the OCR are small and do not involve hackers breaking into a company’s record system. The most common breach is from a stolen device like a laptop or smartphone. According to Jim Sheldon-Dean, director of compliance services with Lewis Creek Systems, LLC, theft is the biggest source of HIPAA breaches, so it is important to keep PHI encrypted and secured, especially on portable, easy-to-lose devices like laptops, smartphones, and memory sticks.

Create Your HIPAA Compliance Plan the Easy Way

You’ve got to have an up-to-date, effective HIPAA compliance plan to avoid privacy and security penalties, like fines of up to $50,000 per occurrence and/or up to one year of imprisonment, but you may not have the time or resources to do it yourself. That’s where SuperCoder steps in to make HIPAA compliance easy, cutting planning time in half. SuperCoder will soon launch the HIPAA Institute, a new one-stop site for all things HIPAA that will walk you through creating a compliance plan, putting manuals, documents, templates, and forms all at your fingertips. It’s an easy step-by-step process ready-made just for you. HIPAA Institute – coming soon!

And don’t miss The Coding Institute/SuperCoder HIPAA Handbook! Packed with practical advice for safeguarding against HIPAA penalties, this handbook can help you create your risk analysis and keep your practice compliant.


Susan taught health information and healthcare documentation at the community college level for more than 20 years. She has a special love for medical language and terminology. She is passionate about ensuring accurate patient healthcare documentation through education. She has a master's degree in healthcare administration, is a certified healthcare documentation specialist, and serves as immediate past president for the Association for Healthcare Documentation Integrity (AHDI).

Leave a Reply