The academic health system of UC San Diego is making an undisclosed number of patients, employees, and students aware that their information may have been accessed between December 2nd, 2020, and April 8th, 2021, during a phishing attack. The threat actors were able to view the information through an employee email account that they had unauthorized access to. Information that may have been viewed includes full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password. Access to the email accounts have now been terminated and law enforcement agencies have been notified. The health system does not believe the information has been misused at this time. A spokesperson also stated, “In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures.”
The healthcare industry continues to be a lucrative target for threat actors that are seeking information. Healthcare providers need to focus protection efforts not only on databases and servers, but also employee email accounts. Enforcing multi-factor authentication using a secure authenticator app, limiting login by geographic location, and monitoring for any new email forwarding rules are all examples of best practices for securing email accounts. In this instance since so many types of personal information were accessed, affected patients are being advised to keep a close watch on their financial statements, credit reports, and explanations of benefits forms for any suspicious activity. Patients should also watch for health insurance identity theft fraud by carefully reviewing insurance claims and reporting any unauthorized activity. Formal breach notifications are expected to be sent out sometime in September, but if any unusual activity occurs before then, affected parties should report it immediately.
Healthcare data breach statistics: https://www.hipaajournal.com/healthcare-data-breach-statistics/