For the third time in less than a week, a large U.S. business appears to have been breached by hackers, putting roughly 4.5 million people at risk.
Between Friday and Saturday, July 17 and 18, both UCLA Health and CVS/Pharmacy photo centers announced they had experienced major data breaches.
These two incidents come on the heels of an embarrassing breach at the website AshleyMadison.com, in which hackers say they will post online the personal information of scores of people who use the site to find people with whom to have affairs or cheat on their significant others.
On Friday, July 17, representatives at UCLA Health — a division of the University of California at Los Angeles, which runs four different hospitals — announced that their computer network had been the victim of a "criminal cyber attack."
It's possible that information of a personal and medical nature may have been compromised in the attack, though officials have not confirmed that yet, according to the announcement on UCLA Health's website.
"While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual's personal or medical information," the announcement read.
"UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been involved in the attack, believed to be the work of criminal hackers."
UCLA Health's news release said it is working with the FBI to investigate the attack, and have also hired their own "cyber experts" to investigate as well as help re-secure its networks.
“We take this attack on our systems extremely seriously,” said Dr. James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. “Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care. We sincerely regret any impact this incident may have on those we serve. We have taken significant steps to further protect data and strengthen our network against another cyber attack.”
UCLA Health admits in the news release that their networks have been breached before, in September and October of 2014 and again in May of this year. Though no abuse has been discovered on behalf of anyone whose information was accessed, UCLA Health says hackers may have accessed information including the names, addresses, Social Security numbers, medical records and medical information of people in its system.
Less than 24 hours after UCLA Health's announcement, CVS/Pharmacy revealed its online photo printing service had also been victim to a cyber attack.
Troublingly, the website for CVS/Pharmacy's photo center — which allows customers to upload photos digitally and order prints to either be mailed to them or picked up at any store location — has been down for nearly a week since.
When one visits the CVS photo center website, all that currently comes up is an announcement by the company, offering details of the attack.
"We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised," the announcement reads. "As a precaution, as our investigation is underway, we are temporarily shutting down access to online and related mobile photo services."
CVS encourages its customers who have a user account to immediately and regularly check their credit card statements and report any suspicious activity. Fortunately, the company reports that CVSPhoto.com user accounts are separate from the CVS optical, in-store medical clinic and general store accounts, so those customers who do not also have a CVS Photo account need not be worried at this time.
The company said it is investigating the matter and will post updates on its website. In the meantime, photo customers can print out their photos in-person at any store without fear of being affected.
A report by Newsweek says authorities are not clear if the CVS and UCLA Health incidents are related.
UCLA Health announced it is offering 12 months of paid identity theft protection to those affected by its breach.
Most recently, healthcare giant Anthem Inc. announced it had been breached in February of this year, potentially compromising 4.5 million people and prompting large state and federal investigations.