This evidentiary record constitutes a formal demand for audit pursuant to California Government Code § 8546.7, which provides that every contract involving expenditure of public funds exceeding $10,000 “shall be subject to the examination and audit of the California State Auditor.” The Legislature specifically intended this provision to apply to the Regents of the University of California. The contracts at issue — including UC’s systemwide agreements with Anthem Blue Cross, Accolade, and Via Benefits (Willis Towers Watson) — each involve public fund expenditures far exceeding this threshold.
The University of California constitutes a “public trust” under California Constitution, Article IX, Section 9. As a self-insured employer, UC is bound by Cal. Code Regs. Title 8, § 15400.2: claim files where future benefits may be payable “shall not” be destroyed.
A prior formal audit request was submitted November 9, 2021, to Chief Compliance & Audit Officer Alexander Bustamante. UC has never responded. This is the second such demand.
INTRODUCTION AND PURPOSE
This document provides a comprehensive chronological archive of data breaches affecting the University of California system (with particular emphasis on UCLA), Anthem Blue Cross, and related Blue Cross Blue Shield entities from 2005 through 2026. These breaches are relevant to individuals whose personal information, employment records, retirement data, health insurance records, and disability status information may have been compromised, corrupted, or lost as a result of these cybersecurity incidents.
The documented pattern of data breaches demonstrates systemic vulnerabilities in the data management systems of institutions responsible for maintaining accurate records of University of California employees, retirees, and their dependents. These breaches may have contributed to data corruption, record loss, or unauthorized modifications affecting retirement benefits, disability status determinations, and health insurance coverage.
Each breach entry includes: the date or date range of the incident, the date of public disclosure, the affected entity, the number of individuals affected (where known), a verified source hyperlink, a cross-reference to contemporaneous events affecting Harold’s records (where correlation exists), and a detailed factual summary of the incident including sources, investigation findings, and legal consequences where applicable.
CROSS-REFERENCE COLOR KEY
| Rose Pink | Correlation established: Documented events affecting Harold’s records occurred during or proximate to this breach window. |
| White | No correlation established; pending further investigation. |
SUMMARY OF DOCUMENTED BREACHES
Total Number of Documented Breach Incidents: 25
Time Period Covered: October 2005 through January 2026 (over 20 years)
Largest Single Breach: Anthem Inc. (February 2014) — 78.8 million individuals affected
Most Recent Major Breach: Conduent Business Services (October 2024 – January 2025) — 14.7+ million individuals affected
Entities with Multiple Breaches: UCLA (6 incidents), Anthem/Blue Cross affiliates (13+ incidents), UC System-wide (3 incidents)
Breaches with Harold Record Correlation: 17 of 25 (68%)
CHRONOLOGICAL BREACH DOCUMENTATION
BREACH #1: UCLA — University Database
| Date of Incident: | October 2005 – November 21, 2006 |
| Date of Disclosure: | December 12, 2006 |
| Affected Entity: | UCLA — University Database |
| Individuals Affected: | Approximately 800,000 individuals |
| Source: | CSO Online — Data Breach at UCLA Exposes Records on 800,000 |
| Additional Source: | CBS News — UCLA Data Breach Leaves 800K At Risk |
| Additional Source: | Fox News — UCLA: Hacker May Have Accessed 800,000 Records |
| Cross-Reference to Harold Record Events: | Harold’s personnel records as a UCLA Police Department officer (Badge #341) were maintained in UCLA’s administrative database systems during this period. The 2003 workers’ compensation settlement was active and being honored. Harold’s employment, disability status, and benefits records were housed in the same institutional systems affected by this breach. |
Detailed Summary:
Hackers gained unauthorized access to a UCLA database containing personal information on roughly 800,000 current and former students, faculty members, and applicants. The intrusion began in October 2005 and continued undetected for over thirteen months until November 21, 2006, when university computer security representatives noticed suspicious search queries on the database and realized attacks were being perpetrated. Acting UCLA Chancellor Norman Abrams confirmed that Social Security numbers of some individuals were indeed accessed. The compromised information included names, Social Security numbers, birth dates, addresses, and contact information. Some information on parents of students or applicants who filed for financial assistance was also compromised. At the time, this breach was among the largest at an American college or university. UCLA launched a dedicated website to provide information to potentially affected individuals and established a call center at (877) 533-8082.
BREACH #2: WellPoint/Anthem — Vendor Breach (Concentra)
| Date of Incident: | January 2007 |
| Date of Disclosure: | January 2007 |
| Affected Entity: | WellPoint/Anthem — Vendor Breach (Concentra) |
| Individuals Affected: | 196,000 members |
| Source: | UPI — Data on 196,000 Insurance Customers Stolen |
| Additional Source: | Privacy Rights Clearinghouse — WellPoint/Concentra Breach Report |
| Cross-Reference to Harold Record Events: | No correlation established. Harold’s 2003 settlement was being honored during this period with no known record anomalies. Pending further investigation. |
Detailed Summary:
WellPoint (which later became Anthem) announced that backup tapes containing personally identifiable information (PII) including Social Security numbers for 196,000 members were stolen from a lockbox maintained by their vendor, Concentra. This incident highlighted early vulnerabilities in third-party vendor management and the risks of storing sensitive data on physical media. This was one of several data breach events that Anthem experienced prior to its massive 2014 breach.
BREACH #3: Anthem/WellPoint — Improper Data Storage
| Date of Incident: | October 2009 – March 2010 |
| Date of Disclosure: | July 2011 (Settlement) |
| Affected Entity: | Anthem/WellPoint — Improper Data Storage |
| Individuals Affected: | Over 600,000 customers |
| Source: | DataBreaches.net — Anthem Breach History |
| Additional Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | No correlation established. Harold’s 2003 settlement was being honored during this period with no known record anomalies. Pending further investigation. |
Detailed Summary:
Anthem settled a lawsuit alleging that from October 2009 to March 2010, the company improperly stored personally identifiable information (PII) and electronic versions of individual health insurance applications for over 600,000 customers without username, password, or encryption protection. The improper storage was caused by an improper maintenance upgrade performed by a vendor. This incident demonstrated systemic failures in data protection protocols and vendor oversight that would continue to plague the company.
BREACH #4: UCLA Health System — External Hard Drive Theft
| Date of Incident: | September 6, 2011 |
| Date of Disclosure: | September 2011 |
| Affected Entity: | UCLA Health System — External Hard Drive Theft |
| Individuals Affected: | 16,288 patients |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | No correlation established. Harold’s 2003 settlement was being honored during this period with no known record anomalies. Patient clinical data, not employment or retirement records. Pending further investigation. |
Detailed Summary:
An external hard drive containing protected health information for 16,288 patients was stolen from a former UCLA Health System employee’s home. While the data on the hard drive was encrypted, the password was written on a piece of paper that was stored near the drive and was also missing at the time of the theft. The compromised information included patient names, medical record numbers, dates of service, and clinical information. This incident highlighted vulnerabilities in the handling of portable storage devices and the importance of proper encryption key management.
BREACH #5: Anthem Blue Cross — Mailing Breach (SSN Exposure)
| Date of Incident: | April 2011 – March 2012 |
| Date of Disclosure: | July 28, 2016 (Settlement) |
| Affected Entity: | Anthem Blue Cross — Mailing Breach (SSN Exposure) |
| Individuals Affected: | 33,000+ Medicare members |
| Source: | California Department of Insurance — Anthem Consumer Information |
| Additional Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Harold was an Anthem Blue Cross Medicare member during this period. Social Security numbers printed on mailed correspondence were visible through envelopes. Harold’s SSN was among the categories of data exposed if he received mailings during this window. |
Detailed Summary:
Blue Cross of California, operating under the trade name Anthem Blue Cross, printed Social Security numbers on letters mailed to more than 33,000 of its Medicare Supplement and Medicare Part D subscribers. The Social Security numbers were visible through the mailed envelopes. California Attorney General Kamala D. Harris filed a lawsuit and settlement alleging the company failed to protect the personal information of its members. The settlement required Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers, provide enhanced data security training for all associates, and pay $150,000 to settle the claim.
BREACH #6: Premera Blue Cross — APT Cyberattack
| Date of Incident: | May 5, 2014 – March 6, 2015 |
| Date of Disclosure: | March 17, 2015 |
| Affected Entity: | Premera Blue Cross — APT Cyberattack |
| Individuals Affected: | 10.4 million individuals (including 6.4 million Washingtonians) |
| Source: | HHS.gov — Premera $6.85M HIPAA Settlement |
| Additional Source: | TechTarget — Premera Pays OCR $6.85M |
| Additional Source: | Washington AG — $10M Multistate Settlement |
| Cross-Reference to Harold Record Events: | This Blue Cross affiliate breach occurred during the exact window (2014–2015) when Harold’s employment status was reclassified from disability income to retirement income and premium deductions began. The same Chinese government-linked hackers (using identical DTOPTOOLZ-signed malware) simultaneously breached Anthem, Harold’s direct insurer. See Chapter 01, Section: “The Unauthorized Reclassification.” |
Detailed Summary:
Premera Blue Cross, the largest health insurer in the Pacific Northwest, suffered a sophisticated cyberattack when hackers sent a phishing email on May 5, 2014, to a Premera employee. The email purported to be from Premera IT but used an incorrect email address that read "@premrera.com" (note the extra 'r'). The employee clicked a link in the email, which contained malware that allowed the hackers to access Premera’s server. The breach remained undetected for nearly nine months until January 29, 2015. The attackers had unauthorized access to sensitive personal information including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, email addresses, and claims information (including clinical and medical information). A cybersecurity consulting firm hired by Premera attributed the breach to hackers who were agents associated with the Chinese government. Security researchers found that the malware used was similar to that deployed in the Anthem breach, with both signed by a Korean company called DTOPTOOLZ Co. Internal audits in 2013 and 2014 had identified "persistent significant deficiencies" in Premera’s security, and IT management personnel’s funding requests for security items were "often denied." Premera paid $6.85 million to HHS (the second-largest HIPAA settlement), $10 million to 30 state attorneys general, and $74 million in a class action settlement.
BREACH #7: Anthem Inc. — Nation-State Cyberattack (Deep Panda)
| Date of Incident: | February 18, 2014 – January 27, 2015 |
| Date of Disclosure: | February 4, 2015 |
| Affected Entity: | Anthem Inc. — Nation-State Cyberattack (Deep Panda) |
| Individuals Affected: | 78.8 million individuals (including 13.5 million Californians) |
| Source: | Wikipedia — Anthem Medical Data Breach |
| Additional Source: | HIPAA Journal — $16M Record Settlement |
| Additional Source: | BankInfoSecurity — 78.8 Million Affected |
| Additional Source: | Fierce Healthcare — $39M Multistate Settlement |
| Cross-Reference to Harold Record Events: | Harold’s direct health insurer. Anthem provided UC employee/retiree health coverage from 2003 through January 1, 2014. The breach began February 18, 2014, and lasted 11 months. Compromised data explicitly included “employment information and income data.” Harold’s status conversion from disability to retirement income and the initiation of premium deductions occurred during this exact breach window. See Chapter 01, Section: “The Unauthorized Reclassification” and Chapter 07, Section: “Year-by-Year 1099-R Analysis.” |
Detailed Summary:
The largest health data breach in United States history occurred when foreign cyber-criminals associated with the Chinese hacking group "Deep Panda" executed a sophisticated attack against Anthem Inc. The breach began on February 18, 2014, when a user within one of Anthem’s subsidiaries (Amerigroup) opened a phishing email containing a malicious URL "http://www.we11point.com" — a typosquat domain mimicking the legitimate "wellpoint.com" (note the use of number "11" instead of letters "ll"). After obtaining the user’s credentials, the attackers moved laterally across Anthem systems, escalated privileges, and eventually reached Anthem’s data warehouse containing massive amounts of consumer data. By December 10, 2014, the attackers had exfiltrated nearly 80 million records. The breach was discovered on January 27, 2015, by a database administrator who noticed his credentials were being used without his knowledge or consent. Investigation revealed attackers used at least 50 accounts and compromised 90+ systems. The compromised information included names, birthdates, Social Security numbers, street addresses, email addresses, employment information, and income data. Medical information and credit card data were reportedly not compromised. An investigation by state insurance commissioners concluded the breach was "likely ordered by a foreign government." The U.S. Department of Justice eventually indicted multiple Chinese hackers for their involvement. Total costs exceeded $260 million, including: $31 million for notifications, $112 million for credit monitoring, $115 million class action settlement (2017), $16 million HIPAA settlement with HHS (2018, the largest ever), and $39.5 million multistate settlement (2020). From 2003 until January 1, 2014, Anthem provided health insurance to UC employees and retirees and their dependents through plans including Anthem Blue Cross PPO, Anthem Blue Cross PLUS, Anthem Lumenos, Core, Core Medicare, Anthem Blue Cross Medicare PPO, and High Option Supplement to Medicare.
BREACH #8: UCLA Health System — Cyberattack
| Date of Incident: | September 21, 2014 – May 5, 2015 |
| Date of Disclosure: | July 17, 2015 |
| Affected Entity: | UCLA Health System — Cyberattack |
| Individuals Affected: | 4.5 million patients |
| Source: | California AG Kamala Harris — Consumer Alert |
| Additional Source: | HIPAA Journal — 4.5M Patient Records Exposed |
| Additional Source: | BankInfoSecurity — $7.5M Settlement Analysis |
| Cross-Reference to Harold Record Events: | Harold’s patient records were maintained in UCLA Health System databases. This breach overlaps exactly with the period when Harold’s employment status was being reclassified and his records were changing. Compromised data included Medicare and health plan identification numbers, medical information, and financial information. See Chapter 01 and Chapter 07. |
Detailed Summary:
Hackers gained unauthorized access to UCLA Health System’s computer network starting in September 2014. The breach was not discovered until May 5, 2015, meaning attackers had access for approximately eight months. The compromised information included names, addresses, dates of birth, Social Security numbers, Medicare and health plan identification numbers, medical information (including diagnoses and treatments), and financial information. California Attorney General Kamala D. Harris issued a consumer alert noting this breach posed a risk of both identity theft and medical identity theft. A class action lawsuit was filed on July 24, 2015, resulting in a $7.5 million settlement that included $2 million for claims and $5.5 million for cybersecurity enhancements. UCLA offered affected individuals free identity theft recovery and monitoring services through ID Experts.
BREACH #9: UC Berkeley — Division of Equity & Inclusion Web Server
| Date of Incident: | December 2014 & February 2015 |
| Date of Disclosure: | April 30, 2015 |
| Affected Entity: | UC Berkeley — Division of Equity & Inclusion Web Server |
| Individuals Affected: | Students (number not publicly disclosed) |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | No correlation established. UC Berkeley student data system; no direct connection to Harold’s UCLA employment, retirement, or health insurance records. Pending further investigation. |
Detailed Summary:
The UC Berkeley Division of Equity & Inclusion experienced two separate unauthorized access events to a web server containing student financial information. The compromised data included Social Security numbers and other sensitive student information. This breach demonstrated ongoing vulnerabilities in university systems that stored sensitive personal data.
BREACH #10: UC Berkeley — Financial System
| Date of Incident: | December 28, 2015 |
| Date of Disclosure: | February 26, 2016 |
| Affected Entity: | UC Berkeley — Financial System |
| Individuals Affected: | Approximately 80,000 individuals |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | No correlation established. UC Berkeley financial system; no direct connection to Harold’s UCLA employment, retirement, or health insurance records. Pending further investigation. |
Detailed Summary:
The UC Berkeley Financial System (BFS) was compromised in a cyberattack discovered on December 28, 2015. Approximately 50% of those affected were current students, and 65% were active employees. The remaining affected individuals included vendors and others with financial relationships with the university. Compromised data included Social Security numbers and bank account numbers. University IT security detected the breach within 24 hours and removed the affected servers from the network. Notification letters were sent to affected individuals on February 26, 2016. The university provided credit monitoring services to those affected.
BREACH #11: UCLA Summer Sessions & International Education Office
| Date of Incident: | May 18, 2017 |
| Date of Disclosure: | August 4, 2017 |
| Affected Entity: | UCLA Summer Sessions & International Education Office |
| Individuals Affected: | Approximately 32,000 students |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | No correlation established. Student enrollment data, not employee retirement or health insurance records. Pending further investigation. |
Detailed Summary:
A cyberattack on a UCLA Summer Sessions and International Education Office server potentially breached the personal information of approximately 32,000 students. The attack occurred on May 18, 2017, but was not reported until August 2017. The affected students were those who provided their personal information to UCLA before April 13, 2016. The compromised data potentially included names, addresses, Social Security numbers, dates of birth, and medical information. UCLA spokesperson Tod Tamberg stated there was no evidence to indicate the attacker accessed or acquired any personal information from the server, but the possibility of a breach could not be ruled out. The breach was reported to the California Attorney General’s Office.
BREACH #12: University of California System — Accellion File Transfer Appliance (FTA) Breach
| Date of Incident: | December 24, 2020 – March 29, 2021 |
| Date of Disclosure: | March 31, 2021 |
| Affected Entity: | University of California System — Accellion FTA Breach |
| Individuals Affected: | 547,000+ individuals across UC system |
| Source: | BusinessWire — UC Official Notification |
| Cross-Reference to Harold Record Events: | UC system-wide breach affecting employee, retiree, and disability records. During this exact period (February–March 2021), Ida Fong at RASC discovered that Harold’s son “Max” was erroneously coded as disabled and admitted that “old records were lost during computer upgrades.” UC agents were unable to locate or verify Harold’s settlement records. See Chapter 04, Call #2 (Ida Fong). |
Detailed Summary:
A vulnerability in the Accellion File Transfer Appliance (FTA) software was exploited by cyber criminals affecting the entire University of California system. The breach was discovered on December 24, 2020. Affected individuals included UC employees, retirees, dependents, and students across all UC campuses. The compromised data included Social Security numbers, dates of birth, financial information, health information, and disability accommodation information. On March 29, 2021, data stolen in the breach was posted on the dark web. Public disclosure occurred on March 31, 2021. Over 100 organizations nationwide were similarly attacked through this vulnerability. The University of California provided affected individuals with one year of Experian IdentityWorks credit monitoring services. A campus forum was held on May 12, 2021, to help the UCLA campus community understand the breach and protect their identities.
BREACH #13: Anthem Inc. — Vendor/Third-Party Breach
| Date of Incident: | January 12, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Vendor/Third-Party Breach |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Harold was actively seeking records correction from UC during this period. Within weeks, Ida Fong at RASC would discover coding errors in retiree records and admit that older records had been lost. Six Anthem breaches in 2021 occurred while Harold’s insurer’s data systems were repeatedly compromised. See Chapter 04, Call #2. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of January 12, 2021. This was one of multiple breach notifications Anthem filed with California authorities during 2021, indicating ongoing security challenges with the company’s systems or third-party vendors.
BREACH #14: Anthem Inc. — Data Security Incident
| Date of Incident: | January 21, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Data Security Incident |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Second Anthem breach in nine days. Harold’s records correction efforts were underway. See Breach #13 cross-reference. |
Detailed Summary:
Anthem Inc. reported another data security incident to the California Attorney General’s Office with a breach date of January 21, 2021. This incident occurred just nine days after the previous reported breach, suggesting potential systemic vulnerabilities or an ongoing attack campaign.
BREACH #15: Anthem Inc. — Data Security Incident
| Date of Incident: | May 1, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Data Security Incident |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Third Anthem breach of 2021. Ida Fong’s investigation into Harold’s records was ongoing during this period. See Chapter 04, Call #2. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of May 1, 2021. Details regarding the specific nature of the breach and number of affected individuals were not publicly disclosed in the notification.
BREACH #16: Anthem Inc. — Data Security Incident
| Date of Incident: | June 30, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Data Security Incident |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Fourth Anthem breach of 2021. Harold’s records remained unresolved. UCLA Luskin Center was actively researching Harold’s case history during this same period. See Chapter 06, Contradiction #5. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of June 30, 2021. This was the fourth breach notification Anthem filed with California authorities during 2021.
BREACH #17: Anthem Inc. — HITECH Notification
| Date of Incident: | August 3, 2021 |
| Date of Disclosure: | October 29, 2021 |
| Affected Entity: | Anthem Inc. — HITECH Notification |
| Individuals Affected: | California residents (number not publicly disclosed) |
| Source: | California Attorney General — Data Breach Database (Ref: SB24-546965) |
| Cross-Reference to Harold Record Events: | Fifth Anthem breach of 2021. Edgar Bustamante was preparing the formal audit request to UC that would be submitted in November 2021. See Chapter 09. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of August 3, 2021. The notification included a HITECH Notification Letter Template sent to affected members. This breach is documented in the California Attorney General’s data breach database with reference number SB24-546965.
BREACH #18: Anthem Inc. — Data Security Incident
| Date of Incident: | October 1, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Data Security Incident |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Sixth Anthem breach of 2021. The Bustamante audit request was submitted to UC the following month (November 9, 2021). See Chapter 09. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of October 1, 2021. This was the sixth breach notification Anthem filed with California authorities during 2021.
BREACH #19: Anthem Inc. — Data Security Incident
| Date of Incident: | November 4, 2021 |
| Date of Disclosure: | 2021 |
| Affected Entity: | Anthem Inc. — Data Security Incident |
| Individuals Affected: | Not publicly disclosed |
| Source: | California Attorney General — Data Breach Database |
| Cross-Reference to Harold Record Events: | Seventh Anthem breach of 2021 — filed the same month as the Bustamante formal audit request (November 9, 2021). Seven separate data security incidents at Harold’s health insurer in a single calendar year while his records remained unresolved. See Chapter 09. |
Detailed Summary:
Anthem Inc. reported a data security incident to the California Attorney General’s Office with a breach date of November 4, 2021. This was the seventh breach notification Anthem filed with California authorities during the calendar year 2021, demonstrating a pattern of ongoing security incidents affecting the health insurer.
BREACH #20: Blue Shield of California — Google Analytics Misconfiguration
| Date of Incident: | April 2021 – January 2024 |
| Date of Disclosure: | April 9, 2025 |
| Affected Entity: | Blue Shield of California — Google Analytics Misconfiguration |
| Individuals Affected: | 4.7 million members |
| Source: | HIPAA Journal — Blue Shield Google Analytics Breach |
| Additional Source: | SecurityWeek — 4.7 Million Members Impacted |
| Cross-Reference to Harold Record Events: | Harold’s health plan data was potentially exposed for nearly three years through this misconfiguration. The breach window (April 2021 – January 2024) spans the entire period when Harold was seeking records correction, the Bustamante audit request was filed and ignored, and the UCLA Luskin Center published its research documenting Harold’s case. See Chapters 04, 06, and 09. |
Detailed Summary:
Blue Shield of California disclosed that a misconfiguration in Google Analytics shared protected health information (PHI) with Google Ads for nearly three years, from April 2021 through January 2024. The breach affected 4.7 million members whose health data was inadvertently transmitted to Google’s advertising platform due to the technical misconfiguration. The disclosure was made on April 9, 2025, more than a year after the issue was discovered and remediated. This incident highlighted the risks of third-party analytics tools when handling sensitive health information and the importance of proper configuration of data tracking technologies.
BREACH #21: UCLA — MOVEit Transfer Application Breach (CL0P Ransomware)
| Date of Incident: | May 27–28, 2023 |
| Date of Disclosure: | June 22, 2023 |
| Affected Entity: | UCLA — MOVEit Transfer Application Breach (CL0P Ransomware) |
| Individuals Affected: | Students, faculty, and staff (number not publicly disclosed) |
| Source: | JD Supra — UCLA MOVEit Breach Notice (CA AG Filing) |
| Additional Source: | NBC Los Angeles — UCLA Among Victims of Worldwide Cyber Attack |
| Additional Source: | Cybernews — UCLA Listed by MOVEit Hackers |
| Cross-Reference to Harold Record Events: | Harold’s personnel and retirement records were maintained in UCLA systems. Two months after this breach (August 2023), UCLA PD Chief Chobanian denied Harold’s CCW permit renewal, classifying him as “medically separated” — contradicting UCLA’s own prior CCW cards designating him as “RETIRED.” See Chapter 06, Contradiction #7. |
Detailed Summary:
UCLA’s MOVEit Transfer Application was compromised by the CL0P ransomware gang, which exploited a zero-day vulnerability (CVE-2023-34362) in the Progress Software file transfer tool. The attack occurred on May 27–28, 2023, and was part of a widespread campaign that affected hundreds of organizations globally. UCLA discovered the breach on June 1, 2023, and filed a notice of data breach with the California Attorney General on June 22, 2023. UCLA confirmed it was a victim of the attack but classified it as "not a ransomware incident" because no ransom demand was made directly to the university. The CL0P gang posted stolen UCLA data on its dark web leak site. UCLA worked with the FBI and cybersecurity firm Mandiant to assess the incident. The specific types of data compromised were not immediately confirmed, but MOVEit systems typically contained sensitive personal and financial information.
BREACH #22: UCLA — Life Sciences Division
| Date of Incident: | January 24, 2024 |
| Date of Disclosure: | 2024 |
| Affected Entity: | UCLA — Life Sciences Division |
| Individuals Affected: | Approximately 1.19% of UCLA campus community |
| Source: | Twingate — UCLA Data Breach Analysis |
| Cross-Reference to Harold Record Events: | No correlation established. Life Sciences Division IT environment; no direct connection to police, retirement, or health insurance record systems. Pending further investigation. |
Detailed Summary:
UCLA’s Life Sciences Division IT environment experienced a security incident involving unauthorized access by an organized cyber criminal group (suspected to be CL0P). The university promptly activated its incident response procedures, isolated the compromised environment, and enhanced system monitoring. UCLA collaborated with external cybersecurity experts and law enforcement to assess the incident and determine the extent of the impact. This incident followed the previous cyberattacks in May and June 2023. The breach impacted data related to approximately 1.19% of the UCLA campus community. UCLA continues to investigate the potential impacts on personal information with the assistance of leading cybersecurity experts.
BREACH #23: Conduent Business Services — Healthcare Data Breach
| Date of Incident: | October 21, 2024 – January 13, 2025 |
| Date of Disclosure: | January 2025 |
| Affected Entity: | Conduent Business Services — Healthcare Data Breach |
| Individuals Affected: | 14.7+ million individuals (8th largest healthcare data breach in U.S. history) |
| Source: | HIPAA Journal — Conduent Data Breach (25M+ Victims) |
| Additional Source: | BankInfoSecurity — Conduent Stolen Data Details |
| Cross-Reference to Harold Record Events: | Conduent processes claims for multiple Blue Cross Blue Shield entities serving UC employees. This breach occurred during Harold’s cancer diagnosis (November 2025) and treatment period, while UC was simultaneously attempting to transfer his coverage to Via Benefits. See Chapter 02. |
Detailed Summary:
Conduent Business Services, a major healthcare claims processor and benefits administrator, suffered one of the largest healthcare data breaches in United States history. The breach lasted approximately three months, from October 21, 2024, through January 13, 2025, before being detected. The SafePay ransomware group claimed responsibility for the attack. The breach affected multiple Blue Cross Blue Shield entities that serve UC employees, including BCBS Texas, BCBS Montana, Premera Blue Cross, and Humana. Compromised information included names, Social Security numbers, medical information, health insurance information, and other sensitive personal data. This breach is particularly significant for UC employees and retirees who have health coverage through Blue Cross affiliates, as their retirement and disability records may have been exposed. The extended duration of the breach before detection (nearly three months) mirrors the pattern seen in previous major healthcare breaches like Anthem (11 months) and UCLA Health (8 months).
BREACH #24: Cierant Corporation — Ransomware Attack
| Date of Incident: | December 10, 2024 |
| Date of Disclosure: | July 3, 2025 |
| Affected Entity: | Cierant Corporation — Ransomware Attack |
| Individuals Affected: | 232,506 individuals |
| Source: | HIPAA Journal — Cierant 232,500-Record Breach |
| Additional Source: | ClaimDepot — Cierant Data Breach Details |
| Additional Source: | SecurityWeek — Cierant/Cleo MFT Exploit |
| Cross-Reference to Harold Record Events: | No correlation established. Cierant processes data for Blue Cross Blue Shield of Massachusetts; Harold’s coverage is through Blue Shield of California and Anthem Blue Cross of California. Pending further investigation. |
Detailed Summary:
Cierant Corporation, a Danbury, CT-based distributed marketing software and services company, experienced a ransomware attack when hackers exploited a zero-day vulnerability in the Cleo VLTrader managed file transfer solution on December 10, 2024. The breach compromised the personal and health information of 232,506 individuals. The compromised data included names, addresses, dates of birth, health plan beneficiary numbers, medical record numbers, plan member account numbers, premium information, provider names, treatment-related dates, claims numbers, and generic descriptions of services received. Cierant disclosed the breach to the California, Texas, Washington, and Montana Attorneys General’s offices beginning on July 7, 2025 and reported to HHS on July 3, 2025. Cierant is offering 12 months of free Epiq credit monitoring to affected individuals.
BREACH #25: Blue Shield of California — Record Merge Technical Error
| Date of Incident: | October 6, 2025 |
| Date of Disclosure: | January 5, 2026 |
| Affected Entity: | Blue Shield of California — Record Merge Technical Error |
| Individuals Affected: | Members (number not publicly disclosed) |
| Source: | Blue Shield of California News Center — Official Substitute Notice |
| Cross-Reference to Harold Record Events: | During this exact period, Harold’s Accolade health benefits app showed “0 Services Available,” SMIL sent collection texts for pre-authorized cancer imaging, and UC communicated its intention to transfer Harold to Via Benefits effective April 1, 2026 — during post-operative cancer surgery recovery. A record merge error at Harold’s health insurer coincides precisely with his benefits data displaying incorrectly. See Chapter 02 and Chapter 03. |
Detailed Summary:
Blue Shield of California experienced a technical error during a system enhancement that caused member portal to display other members’ protected health information (PHI). The incident occurred on October 6, 2025, but was not disclosed until January 5, 2026. The record merge issue happened during a performance upgrade to Blue Shield’s member-facing systems. Affected members may have had their personal health information briefly visible to other members accessing the portal during the incident window. This breach represents a different category of data exposure — one caused by internal technical errors during system maintenance rather than external cyberattacks.
LEGAL SIGNIFICANCE AND PATTERN ANALYSIS
The documented breaches reveal a persistent pattern of cybersecurity failures affecting institutions responsible for maintaining sensitive employment, retirement, and health insurance records of University of California employees and retirees. Key observations include:
Extended Breach Durations: Major breaches consistently went undetected for extended periods. The Anthem breach lasted 11 months before discovery. The UCLA Health breach lasted 8 months. The Premera breach lasted 9 months. The Conduent breach lasted nearly 3 months. These extended durations provided ample time for data exfiltration, corruption, or unauthorized modification.
Repeated Compromise of Same Populations: UC employees and retirees with Anthem/Blue Cross coverage have been affected by multiple breaches spanning over two decades. The same Social Security numbers, employment records, and health information have been repeatedly exposed.
Third-Party Vendor Vulnerabilities: Multiple breaches originated from vendor systems (Concentra, Accellion, MOVEit, Conduent, Cierant), demonstrating that data security depends on the weakest link in the chain of custody.
Nation-State Involvement: The Anthem and Premera breaches were attributed to Chinese government-sponsored hackers, indicating that health insurance data of UC employees was targeted by foreign intelligence operations.
Regulatory Findings of Systemic Failures: Multiple regulatory investigations found deficiencies in basic security practices, including failures to encrypt data, failures to conduct risk analyses, failures to implement access controls, and failures to monitor for unauthorized activity.
CONCLUSION
This comprehensive archive documents 25 data breach incidents affecting UC/UCLA and Anthem Blue Cross systems between 2005 and 2026. Of these 25 breaches, 17 (68%) show documented correlation to contemporaneous events affecting Harold’s employment records, benefits status, or data integrity. The cumulative effect of these breaches has exposed the personal information, employment records, retirement data, and health insurance information of University of California employees, retirees, and their dependents to repeated unauthorized access, potential corruption, and possible modification. These facts support a reasonable inference that data integrity of records maintained by these institutions may have been compromised.
SOURCES AND VERIFICATION
• California Attorney General Data Breach Database (oag.ca.gov)
• U.S. Department of Health and Human Services Office for Civil Rights Breach Portal
• Official University of California and UCLA announcements and notifications
• Anthem Inc. official statements and settlement documents
• Court filings and settlement agreements from class action litigation
• California Department of Insurance investigation reports
• Washington State Attorney General press releases and complaints
• Cybersecurity research firms (Mandiant, CrowdStrike, ThreatConnect, Emsisoft)
• CISA (Cybersecurity and Infrastructure Security Agency) advisories
• News reports from Los Angeles Times, CNN, TechCrunch, Healthcare IT News, NBC Los Angeles, and other publications