The Los Angeles Times reports that the hospital discovered the breach this past March, determining that one of its employees had gained access to the medical records of 4,859 patients. Although it doesn’t appear that the employee was able to compromise patients’ Social Security numbers or payment card information, they were able to get their hands on a large volume of other personal data, including: names, addresses, dates of birth, health plan information, prescriptions, employment status, diagnostic results and other medical test results.
Perhaps most alarming was that, despite being discovered in March, the breach occurred as early as June 2011. In other words, the hospital employee in question had been illegally accessing patient information, undeterred and unnoticed, for 45 months. And despite the fact that the breach was found three months ago, the hospital is only just now notifying the patients affected.
One silver lining is that, according to hospital spokesman John Murray, a forensics investigation of the perpetrator’s hard drive and email account reveal “no evidence that this employee removed any patient information [from the premises].”
UC Irvine is offering free protection and monitoring services to the nearly 5,000 patients whose records were compromised, apologizing for “any inconvenience, stress or worry this news may have caused our patients.” The hospital also stated that the employee responsible has since been disciplined, but any further details beyond that or the person’s employment status were not immediately disclosed.
Unfortunately, this incident is far from being a one-off occurrence. Data breaches and cyber attacks in general are becoming more common, but especially so among healthcare providers and hospitals. It’s easy to see why: Few other databases contain so much personally identifying information all in one place than at a healthcare company. The last few years have seen a wide range of companies in this field finding themselves the victims of a data breach, with one of the largest such incidents hitting the insurance giant Anthem. In that particular situation, the personal data of as many as 80 million Americans was compromised by identity thieves, with names, birth dates, income figures, Social Security numbers and addresses all finding their way into the hands of the hackers.
In its Fifth Annual Study on Medical Identity Theft, the Medical Identity Fraud Alliance determined that 500,000 Americans had become victims of medical ID theft just in 2014. And in many of these cases, the breach was discovered by neither the afflicted company or the individual victims until long after it occurred, putting these people at a heightened risk of long-standing damage to their credit.
Stories like these are unfortunate reminders of the increasing necessity of vigilant credit monitoring in our lives. While there’s no way to completely protect your identity from thieves, you can take proactive steps to mitigate any damage as much as possible by frequently reviewing your credit report for unusual items. Every American is entitled to at least one free credit report a year from each of the three major bureaus. You can also elect to have a credit monitoring service perform this legwork for you. These services will alert you should certain signs of activity are detected on your credit files.