Crisis Management Disconnect: UCLA’s Data Breach Incident

Sections of this topic

    Crisis Management Disconnect: Data Breach Incident at UCLA

    Saying you care is great, but backing it up with action is a must

    We can barely go a week without another high-profile data breach hitting the news, and lax security from the latest target, UCLA Health Systems means as many as 4.5 million patients may be affected. Much like Anthem, UCLA didn’t bother to encrypt patient data in even the most basic of ways, meaning cybercriminals had little difficulty once they made their way into the network.

    The LA Times’ Chad Terhune dug deeper into the nuts and bolts of the situation:

    “We take this attack on our systems extremely seriously,” said Dr. James Atkinson, interim president of the UCLA Hospital System. “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.”

    Atkinson said the hospital detected unusual activity on one of its computer servers in October and began investigating with help from the FBI.

    It wasn’t until May 5, according to UCLA, that investigators determined that the hackers had gained access to parts of UCLA Health’s computer network where some patient information was stored.

    Those parts of the network contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

    The unauthorized access could have begun in September 2014, UCLA said, and some of the patient information dates to 1990.

    If we were among the patients whose information was exposed, the first question we would have is “Why didn’t anyone tell us until now?” After all, investigators knew on May 5 that hackers had gained access to parts of the network where patient information was stored, so why the massive delay in communications?

    Atkinson says, “For patients that entrust us with their care, their privacy is our highest priority.” The problem is, his actions say otherwise. A clear interest in self-preservation over the best interests of stakeholders has already been demonstrated. Now, it’s time for UCLA to either walk its talk or eat the reputation damage that comes from failing to do so.

    For more resources, see the Free Management Library topic: Crisis Management

    [Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, and author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is vice president for the firm, and also editor of its newsletter, Crisis Manager]

    – See more at: