UC San Diego Health announces data breach

University discovered incident on March 12
BY PAUL SISSON
JULY 27, 2021 12:55 PM PT
An as-yet-undisclosed number of patients, employees and others connected to UC San Diego Health potentially had their protected information compromised from Dec. 2 through April 8, according to a public notice posted on the provider’s website midday Tuesday.

The notice indicates that the breach occurred via “unauthorized access to some employee email accounts,” but says it did not affect the “continuity of care for our patients.”

Officials confirmed Tuesday that the incursion occurred after someone with a health system email account responded to a “phishing” attempt. The tactic involves tricking employees or other trusted individuals inside an organization to unwittingly type their log-in credentials or other sensitive information into look-alike websites controlled by hackers. A UCSD Health spokesperson said Tuesday that ransomware, software often used to extort money from an organization, was not involved.

UCSD Health was alerted to “suspicious activity” in its digital systems on March 12 and identified and shut down compromised email accounts on April 8, but did not confirm that protected health information had been compromised until May 25. An investigation — said to be ongoing — has discovered that the accounts “contained personal information associated with a subset of our patient, student and employee community.”

The health system declined to say how many individuals are affected.

Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords are said to be among the types of information that “may have been accessed or acquired.”

The attack comes not long after the University of California notified thousands that many of its campuses were infiltrated through outdated file transfer software made by Accellion Inc. That breach, however, did not affect UC San Diego Health and did not involve medical information.

For Accellion, and now for the new health system breach, the university is offering free credit monitoring and identity theft protection for those who have been affected. Scripps Health, San Diego’s second-largest health system, found itself taking similar steps in late May after notifying the public that a month-long ransomware attack potentially compromised the protected information of more than 147,000 people.

Scripps was forced to take down the bulk of its digital systems for most of May, dramatically affecting everything from its ability to confirm existing appointments to diverting ambulances from hospitals that lost access to its digital medical records system.

Though the UCSD breach did not similarly disrupt care, many now face the uncomfortable reality that their sensitive medical information may be in the hands of hackers, despite assurances Tuesday that, so far, there are no indications “that the information has been misused.”

UC San Diego Health indicates that it will begin notifying students, patients and employees that their records were compromised once its “forensic review has concluded” and expects to send notices to all impacted individuals “by September 30, 2021.”

For UCSD Health patients, students and staff, that may seem like a long time to wait, given that data loss was confirmed on May 25. In a follow-up statement, the health system said it is holding off on notification out of an abundance of caution.

“We want to ensure that, when we send notifications to individuals, the letter each individual receives accurately reflects the information that was potentially impacted for that specific individual,” UCSD health said in an emailed statement.

It is not clear whether a desire for completeness is a valid reason to delay notification of individuals who have been affected by a data breach. Federal law, namely the Breach Notification Rule of the Health Information Portability and Accountability Act, requires affected individuals to be notified “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” Notification of the media and the U.S. Department of Human Services is required within 60 days of discovery if the breach involves 500 or more people.