UC San Diego Health Discloses Data Breach
The Incident May Have Exposed Patients’ Protected Health Information.
On Tuesday, UC San Diego Health confirmed it had fallen victim to a data breach involving “unauthorized access to some employee email accounts.”
In a notice released yesterday, the health group outlined the details of the breach:
UC San Diego Health recently identified and responded to a security matter involving unauthorized access to some employee email accounts. At no time was continuity of care for our patients affected by the event.
Suspicious activity and unauthorized access to some of its employee email accounts was discovered on April 8th. After identifying the issue, UCSD terminated the unauthorized access and reported the event to the FBI.
When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls. UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged.
According to Becker’s Hospital Review, UCSD is currently investigating the incident and declined to comment about how many patients were affected by the incident.
While the investigation is still ongoing, UCSD revealed that it was alerted to “suspicious activity” in its digital systems on March 12th and identified and shut down compromised email accounts on April 8th, but did not confirm that protected health information had been compromised until May 25th.
The unauthorized email access is believed to have occurred between December 2nd, 2020 – April 8th, 2021. The email accounts contained personal information including names, addresses, Social Security numbers, financial account numbers, and prescription details of patients, students, and employees.
Perennial Targets of Cyberattacks
The attack comes not long after the University of California notified thousands that many of its campuses were infiltrated through Accellion’s FTA software.
“UC has learned that it, along with other universities, government agencies, and private companies throughout the country, was recently subject to a cybersecurity attack”, a statement issued by the UC Office of the President back in March read.
That breach, however, did not affect UC San Diego Health and did not involve medical information.
In May, a ransomware attack on Scripps Health’s computer network significantly thwarted care, forcing the healthcare provider to block patient access to its online portal, postpone consultations, and transfer critical care patients to other hospitals. The attack potentially compromised the protected information of over 147,000 people.
The San Diego Union-Tribune reports that although the UCSD breach did not similarly disrupt care, many now face the uncomfortable reality that their sensitive medical information may be in the hands of cybercriminals, despite assurances Tuesday that, so far, there are no indications “that the information has been misused.”
Hospitals have become perennial targets of cyberattacks, including SalusCare, New Hampshire Hospital, and Atascadero State Hospital.
On average, healthcare providers lose almost 7% of their customers after a data breach or cyberattack, which is the highest when compared to other industries.
UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing their security processes and procedures.
In its notice, UCSD indicated it will send individual notices to all those affected by the breach by September 30, 2021.
UC San Diego Health is committed to safeguarding our community’s personal information. Once the forensic review has concluded, UC San Diego Health will send individual notices to those students, employees, and patients whose personal information was contained in the accounts, where current contact information is available.
Additionally, the health giant is offering one year of free credit and identity monitoring services, according to the online notice.