back to article Hackers invade systems holding medical files on 4.5 million Cali patients

UCLA Health hospitals say hackers may have accessed personal information and medical records on 4.5 million patients. The California medical group admitted today that miscreants infiltrated its computer systems as long ago as September. It is possible the intruders accessed databases holding patient names, addresses, dates of …

  1. elDog

    Plenty of time to find a new job?

    UCLA Health said by October its IT staff thought something fishy was going on, and realized that patient data was at risk months later on May 5.

    One could ask, why the delay?

    One could also be uncharitable and say that the (ir)responsible staff first tried to staunch the flow, then spent a month or two working on good alibis, and then left the ship for another place where they could malpractice their wares.

    1. Mark 85
      Alert

      Re: Plenty of time to find a new job?

      It sounds like management is blowing smoke along with "they didn't get anything" line. IT is the scapegoat. It's possible that the staff tried to bring it to some higher up earlier but was blown off. Which, from what we've seen of hacks lately, is pretty much what happened....

    2. Anonymous Coward
      Anonymous Coward

      A few questions

      1. What medical record software does UCLA use?

      2. Is the data stored in encrypted form?

      3. Can the unencrypted data only be retrieved through that software?

      4. What kind of access logging does the system have?

      5. How does the software deliver/display the records? (i.e. as graphics, filled out forms, text, etc.)

      6. Does the software have any kind of throttling? (i.e. Since humans can't read a zillion records per second, did the programmers put any data retrieval rate limits in the software so it can only retrieve data at rates that make sense if a human is accessing it?)

      1. x 7

        Re: A few questions

        yep, those are the key points, especially (1) -which software are they using?

        If its one of the commercial off-the-shelf programs, the potential risks elsewhere are horrendous

  2. Kev99 Silver badge

    More idiocy courtesy the bean counters

    Maybe these companies and organizations would learn how unsafe, insecure, and porous the internet is by now. Maybe a few super class action lawsuits against them would get them to go something more secure. Say, dedicated private networks that used to be the norm? Or telephones? Or yelling out a window?

  3. Doctor Syntax Silver badge

    "Hospital bosses aren't convinced the attackers were able to copy the information out of the network, and claim it's possible the hackers may not have viewed the medical records."

    Several pigs have been found on the hospital roof. A spokesperson said they must have flown there.

  4. John Tserkezis

    "believed to be the work of criminal hackers."

    Perhaps it was the NSA.

    No wait, same thing...

    1. Mark 85
      Trollface

      But.. it had to be criminal hackers.. surely NSA wouldn't do anything illegal.

      1. Christoph

        Of course not. They just have a law passed making it retrospectively legal for them to do it.

  5. Anonymous Coward
    Anonymous Coward

    Just a though

    It may not have been "criminal" hackers or the NSA, it may have been news organizations probably of a sensationalist bent that was the source. Aided by criminal hackers ;-). Where have I heard about that before?

  6. iLuddite

    Someday

    there will be a memorial for the final uncracked database.

  7. sysconfig

    "While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information," the group said in a statement.

    Meaning unless somebody posts it on pastebin or holds the UCLA ransom to avoid such disclosure, they just assume everything's dandy, and hackers made their way into the system just for fun but couldn't be bothered to lift any data? Who came up with that ridiculous stance?

  8. Anonymous Coward
    Anonymous Coward

    The article implies US patient details...

    but could British patient data also have been compromised as part of the hack?

    If not, who is responsible for their information?

    1. Anonymous Coward
      Anonymous Coward

      Re: The article implies US patient details...

      I think you'll find they give even less of a fuck about you.

  9. Anonymous Coward
    Anonymous Coward

    Cross matching records with OPM data

    Wonder how many people in this data set were also in the OPM data set?

    With these large numbers of records, even a small percentage means many people for cross-matching purposes.

    That would allow building some fairly complete personal histories, much more than needed for just id theft.

    Not sure exactly what... but it doesn't sound like it would be good. :(

  10. jake Silver badge

    Calling California "Cali" ...

    ... is roughly the same as calling Queen Elizabeth II "Liz". It's only done by tabloids & their readers. Oh, wait ...

    1. Destroy All Monsters Silver badge

      Re: Calling California "Cali" ...

      Yeah, but calling it "Socialist Republic of California" is just too long.

    2. Doctor Syntax Silver badge

      Re: Calling California "Cali" ...

      I think it was going to be one of those Mary Poppins inspired sub-heads but it got truncated.

    3. Anonymous Coward
      Anonymous Coward

      Re: Calling California "Cali" ...

      You missed "it is also done by the Reg to annoy jake"

      1. jake Silver badge

        @AC "20 hrs" (whatever that means, ElReg) was: Re: Calling California "Cali" ...

        "You missed "it is also done by the Reg to annoy jake""

        Post proof or retract.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC "20 hrs" (whatever that means, ElReg) was: Calling California "Cali" ...

          Retract?

          If you look up do you see anything other than planes going over your head?

    4. Morrolan

      Re: Calling California "Cali" ...

      Don't forget LL Cool J as well.

  11. Tony S

    Mr Cynical

    "Hospital bosses aren't convinced the attackers were able to copy the information out of the network, and claim it's possible the hackers may not have viewed the medical records."

    If you ask me, that phrase from their statement tells you everything that you need to know about the technical knowledge of the people in charge, and therefore who is really responsible. I'd suggest that it also indicates who will get their arse kicked; and it won't be the management.

  12. Your alien overlord - fear me

    " offering free identity protection as well as a $1,000,000 fraud insurance policy" - that'll cost them a wedge of mullah considering they could have spent less on some security for their network.

    1. Mark 85

      Did you forget they probably have insurance to cover that? Sure the rates will go up but it's still cheaper than good, solid security.

      1. Anonymous Coward
        Anonymous Coward

        Insurance may not be valid if they have been incompetent.

        1. Anonymous Coward
          Anonymous Coward

          Incompetence can usually be covered by liability or malpractice insurance. It's MALICE that can't be covered.

  13. The Vociferous Time Waster
    FAIL

    I wonder

    I wonder if the spate of massive hacks which show how porous most big organisations are will finally show how much of a pile of crap our security approach is.

    Big company security is all audit and compliance carried out by not very technical people so it becomes about process rather than protection. A bit like getting a girl to sign an STD waiver rather than just wearing a condom.

    In the last two big organisation I have worked there have been big holes with easy and cheap fixes but the security folks won't look at it without a project code and without their approval you can't make the change to close the loop.

    In another organisation the security team spent a huge amount on PCI DSS consultants but wouldn't spend the money to replace old Pix firewalls with something that was supportable. That organisation processes credit card info and holds it unencrypted on behalf of many clients you almost certainly use.

    1. Charles 9

      Re: I wonder

      Probably because it's cheaper to pay fines and settlements than to overhaul the works.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like