UC San Diego Health issued a notice this week announcing that it suffered a breach that gave cyber attackers widespread access to information about patients, students and staff.
Jacqueline Carr, executive director of communications and media relations at the University of California, San Diego Health, confirmed to ZDNet that the hack resulted from a phishing attack.
From December 2, 2020 to April 8, 2021, hackers gained access to data including names, addresses, claims information, lab results, medical diagnoses, cases, medical record numbers, other medical identifiers, prescription information, treatment information, and medical and social information. Security numbers, government identification numbers, payment card numbers or financial account numbers, security codes, student ID numbers, user names and passwords.
In a repeat question attached to the notification, the hospital said it discovered suspicious activity on March 12, but that it took until April 8 for its security team to formally identify it as a “security issue.”
The statement said the hackers took control of employee email accounts for weeks before the University of San Diego Health discovered the hack, terminated the accounts, and contacted the FBI. A cybersecurity firm is still investigating the incident, and the University of California, San Diego Health, said the review would end in September.
“In addition to using advanced data analysis and research tools, UCSD also conducts a manual review of impacted data. This is a labor-intensive and time-consuming process that involves hundreds of hours of detailed review and analysis,” the hospital said.
“In addition to notifying individuals whose personal information may be involved, UCSD has taken remedial measures that have included, among other steps, changing employee credentials, disabling access points, and strengthening our security processes and procedures.”
The University of California, San Diego Academic Health System said it will send notifications to students, staff and patients whose personal information has been included in accounts by September 30.
The hospital will provide credit monitoring and identity theft protection services free of charge through Experian IdentityWorks for one year.
A call center has been set up for those who might be interested in their information. Affected people can call 1-855-797-1160 from 6:00 a.m. to 8:00 p.m. PT Monday through Friday and 8:00 a.m. to 5:00 p.m. PT on Saturday and Sunday. Questions related to the accident may also be sent to email@example.com.
The statement from UCSD San Diego Health took time to deny that this breach was related to the Accellion file transfer device vulnerability, which led to dozens of cyber attacks.
This isn’t the first time UCSD has had to inform patients of a violation. In 2018, the hospital told 619 patients that their data had been accessed after an attack on Nuance Communications, a third-party medical transcription services company.