UC San Diego Health phishing attack exposes SSNs, financial info

The security incident may have given hackers access to patient, employee and student information for months.
By Kat Jercich
12:16 PM

Photo: PixaBay/Pexels

A phishing attack on University of California San Diego Health earlier this year gave hackers unauthorized access to some employee email accounts – leading to compromised patient, student and staff information.

According to a notice posted on the UCSD Health website this week, the bad actors may have had access to the information for months.  

"UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged," said health system officials in the notice.  

WHY IT MATTERS  

UCSD Health says it was alerted to suspicious activity on March 12 of this year. However, it took until April 8 for the health system to identify the security matter, which involved "unauthorized access to some employee email accounts."  

"At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community," according to UCSD Health.

That means from December 2, 2020 through April 8, hackers may have accessed or acquired the following information about some individuals:  

  • full name
  • address
  • date of birth
  • email
  • fax number
  • claims information (date and cost of health care services and claims identifiers)
  • laboratory results
  • medical diagnosis and conditions
  • Medical Record Number and other medical identifiers
  • prescription information 
  • treatment information
  • medical information
  • Social Security Number
  • government identification number
  • payment card number or financial account number and security code 
  • student ID number 
  • username and password  

UCSD Health representatives confirmed to ZDNet that the breach stemmed from a phishing attack.  

The system is still in the process of analyzing what exactly happened, as well as what data was affected and to whom it belongs.   

This review will be complete in September. After it concludes, UC San Diego Health will notify students, employees and patients whose personal information was contained in the accounts, as well as offering a year of free credit monitoring and identity theft protection services.

"In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points and enhancing our security processes and procedures," said the notice.

THE LARGER TREND  

Although ransomware has garnered major cyber-related headlines over the past few months, phishing continues to pose a threat to health systems – and, in fact, the two can work in conjunction with each other.

Earlier this year, 26,000 people had their information exposed when an unauthorized individual gained access to an eye care practice employee's work email. 

And in November 2020, reports emerged about "spear phishing" attempts targeting hospital CEOs, leading to tightened security protocols at several facilities.  

ON THE RECORD  

"While we have a number of safeguards in place to protect information from unauthorized access, we are also always working to strengthen them so we can stay ahead of this type of threat activity," said UC San Diego in the breach notice.

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.