Back to Blog

Contract Management Lessons from the UCLA Healthcare Data Breach


The list of high-profile data breaches keeps on growing. It seems that no one is immune from a potential attack these days, as companies in the retail, entertainment, and healthcare sectors have been hit, as well as government offices. The latest headline-grabbing breach involving the UCLA Health System is shocking and rather unfortunate considering that the lack of strict security protocols were to blame, at least in part, for the hackers’ successful invasion. This latest breach offers some important lessons for companies entrusted with the safekeeping of sensitive and/or confidential data. Security measures around contract management aren't often as stringent as those around storing other types of company data. Due to the confidential information contained in employee contracts, supplier contracts, and virtually every other type of contract, it is imperative that those responsible for contract management take heed and implement basic security measures. 

Data Encryption Is Essential

Perhaps the most shocking aspect of the UCLA Health System breach was the fact that the patient data had not been encrypted. In order to safeguard sensitive data, it is essential to encrypt information stored electronically. And, this encryption should be in place for data that is both at rest (meaning it is saved somewhere within the network) and when it is in transit (meaning it is transferred from one location to another for whatever reason). There are plenty of cloud-based solutions that provide encryption for data stored within their systems and at a reasonable cost so most companies should be doing this.

Strong Passwords Must Be Used and Protected

It is always possible for hackers to crack a password in some form or fashion. However, the likelihood of this occurring is reduced when companies mandate the use of strict passwords. The most obvious password requirements include the use of capital and lowercase letters, at least one number, and one symbol. Passwords should never be named of individuals or companies, birthdays, or other information that is easily discernible, even for a hacker that is likely a complete stranger. Additionally, employees should be discouraged from using the same or similar passwords for work-related accounts and personal accounts, and passwords should never be shared with colleagues.

Two-Factor Authentication Provides Additional Security

Although beefing up password requirements certainly helps with security, it is recommended to include an additional layer of security by implementing two-factor authentication for access to all systems that contain contract data (or any other sensitive data). This can be a text or email-generated code sent upon any login attempt or a unique user pin. This protects accounts from access in the event of a compromised password (see above), as the secondary form of authentication must be verified before access is granted. 

Security Measures Must Be Proactive, Not Reactive!

According to several online news reports, UCLA is spending substantial (perhaps even exorbitant) sums of money to improve the security of its network. Although that is clearly a necessary step in light of what has happened, it should not be something that occurs AFTER succumbing to a massive breach. And, it is likely that less money would have been spent if appropriate measures had been implemented in the first place. When it comes to protecting data, companies should focus on taking proactive security measures, rather than reactively scrambling to rectify matters post-breach.

Though UCLA's data breach involves patient data and not contracts, it serves as a valid warning for those dealing with sensitive contracts electronically - take steps to protect them

New Call-to-action