Poor Security Practices Likely a Factor in UCLA Health Data Breach
Back on July 17th 2015, UCLA Health announced that it was the victim of a health data breach affecting as many as 4.5 million healthcare clients from the four hospitals it runs in the Southern California region. According to UCLA Health officials, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed but no evidence yet suggests that the data was stolen. This data went as far back as 1990. The officials also stated that there was no evidence yet, that any credit card or financial data was accessed.
The key word in the last two sentences above is “yet.” The information accessed (or possibly stolen, its certainly hard to know at this point) is virtually good for the life of that individual and potentially still useful past the death of that individual. The information available to the perpetrators included: Names, Addresses, Phone numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test results.
Little is known about this data breach like so many others we find out about but never hear any real details on. UCLA Health discovered unusual activity in segments of their network in October of 2014 (although access potentially started one month earlier), and immediately contacted the FBI. Finally, by May 2015 – a full 7 months later – investigators stated that a data breach had occurred. Again, officials claim that the attackers are most likely highly sophisticated, and not in the United States. Finally, we the public get to hear about a breach a full two months later on July 17, 2015.
It’s been said many times before that we as security professionals need to be correct 100% of the time, while the bad guys only need to find that 1% that we may not be able to rectify. Based on our research about the breach, the bottom line is UCLA Health had poor security practices. One reason is based on the simple fact that the data accessed was not encrypted. We have had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they failed to protect data in the simplest ways. The claim that these were highly sophisticated individuals is also suspect, as so far no real evidence has been produced. After all, when is the last time that an organization that has been breached claimed it wasn’t from an “advanced” attack? Even if they claim they have such evidence, as members of the public we won’t see it in order to vet it properly.
Since there isn’t enough disclosed information about the breach, its difficult to determine if any solution would have assisted in finding the breach sooner rather than later. However, if the breach started with malware being delivered to and executed by a UCLA Health network user, the likelihood that Ziften could have assisted in discovering the malware and potentially stopping it would have been reasonably high. Ziften could have also alerted on suspicious, unknown, or known malware as well as any communications the malware may have made in order to spread internally or to exfiltrate data to an external host.
When are we going to learn? As we all know, it’s not a matter of if, but when, organizations will be breached. Smart organizations are preparing for the inevitable with detection and response solutions that mitigate damage.