UC San Diego Health, the academic health system of the University of California, recently suffered a data breach that, it says, potentially compromised the sensitive personal information of patients, employees, and students.
In a data security incident notification, UC San Diego Health said that the security incident involved a threat actor gaining unauthorised access to employees’ email accounts. As soon as the breach was discovered, the health system terminated the unauthorised access immediately and strengthened its security controls.
UC San Diego Health has reported the incident to the FBI and is working with external cybersecurity experts to investigate the event and determine the reason for the breach and the magnitude of the impact. It is expected that the investigation will be completed by September.
In its notification, the health system said that the unauthorised access impacted email accounts that contained personal information associated with a subset of the patient, student, and employee communities. It, however, said that there is no evidence to confirm that the breached data has been misused by malicious actors.
The university said that personal information accessed by the hackers could potentially include full names, addresses, dates of birth, email addresses, fax numbers, and claims information (date and cost of health care services and claims identifiers).
The compromised data may also include laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.
Though it is still not clear when this security incident took place, UC San Diego Health was notified about the suspicious activity on 12th March, and on 8th April, it discovered that some email accounts were accessed without authorisation. It is possible that the attacker may have accessed or acquired information between 2 December 2020 and 8 April 2021.
In addition to notifying individuals whose personal information may have been compromised, UC San Diego Health has taken remediation measures such as changing employee credentials, disabling access points, and enhancing security processes and procedures.
Commenting on yet another healthcare provider suffering a breach, Alicia Townsend, Technology Evangelist at OneLogin, told Teiss that sadly, malicious actors are constantly trying to take advantage of employees in the healthcare industry in order to access such a rich source of patient personal information.
“While [the hackers] did not seem to get full access to entire data stores of patient information, they did get access to personal information for a number of patients, everything from basic contact information to social security numbers to medical history.
“Healthcare institutions must implement security training for all of their users. Everyone needs to be educated on how to spot phishing attempts, how to keep their passwords secure, the importance of using additional authentication factors, and what to do in case they suspect an attack,” she added.