Adding to the long list of cyber hacking victims, the UCLA Health System announced on Friday (July 17, 2015) that it confirmed on May 5, 2015 that a cyber-attacker had accessed parts of UCLA Health’s network back to September of 2014. The information accessed included 4.5 million patient names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare and/or health plan ID number and medical information, as well as information on UCLA providers who sought privileges at any UCLA Health hospital. The UCLA system includes Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children’s Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA.

Not only are the HIPAA breach notification regulations applicable here, UCLA has not provided any public information regarding the sensitive psychiatric information that may have been accessed from the Resnick Neuropsychiatric Hospital, which could include substance abuse treatment information protected by 42 C.F.R Part 2 and regulated by the Substance Abuse and Mental Health Services Administration, as well as state laws that apply to highly sensitive health information regulated by state authorities.

UCLA is working with the FBI and a forensic firm in an ongoing investigation and is offering free identity theft recovery and restoration services and credit monitoring for affected individuals.

This is not the first time UCLA has had HIPAA issues. In July of 2011, it settled alleged HIPAA violations with the Office for Civil Rights for $865,500 and entered into a Resolution Agreement and Corrective Action Plan following an OCR investigation. The allegations were that employees repeatedly and without permission examined the health information of patients (rumored to be famous individuals) between 2005-2008.