The UCLA Health System said Friday that it has been the victim of a cyberattack affecting as many as 4.5 million patients.
The attackers accessed a computer network that contains personal and medical information. The University of California, Los Angeles, said there was no evidence yet that any such data was taken, but it can’t rule out that possibility.
UCLA said it was working with the FBI and had hired private computer forensic experts to further secure network servers.
James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System, said the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI.
The investigation confirmed on May 5 that the attackers had gained access to parts of UCLA Health’s computer system where some patient information was stored.
The attackers had access to names, dates of birth, Social Security numbers, Medicare and health-plan identification numbers, and some medical information like patient diagnoses and procedures. The information was not encrypted, UCLA said.
The failure to take that precaution has generated criticism in other high-profile cyberattacks. In February, health-insurance giant Anthem Inc. reported a breach exposing the personal information of about 80 million people.
The insurer said the information involved was not encrypted in its database. But the company said that additional security would not have stopped the attack because an administrator’s credentials were compromised and security protocols were bypassed.
UCLA said that before the attack on its system it had been working to strengthen the security of its electronic health records and databases.