Posted on July 30, 2021 at 2:29 PM
UC San Diego Health has stated that the hospital has become a victim of a data breach. According to the firm, threat actors gained access to the email accounts of some employees, but patient care was not affected.
The hospital also stated that once the breach was discovered, it halted access to the employee email accounts and enforced tighter security measures. The hospital stated that the breach was first identified on March 12, but it was not until April 8 that the hospital’s security team officially termed it a “security matter.” The hospital reported the matter to the FBI and liaised with a cybersecurity firm to investigate the matter.
“UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged, a notice by the hospital read.
Which Information was compromised?
UC San Diego Health stated that an investigation into the matter was ongoing. The only information that the firm was certain was compromised includes personal details related to patients, students and employees. A full analysis of the compromised records would be available in September.
The hospital also stated that the data breach happened between December 2020 and April 2021. Cost of health care, lab results, medical diagnosis, medical records, prescriptions, treatment information, social security number, username and passwords were among the details that were accessed by the hackers.
UC San Diego Health also added that once the full forensic review of the breach was done, the firm would send the review to students, employees and patients who were affected by the breach. Only the parties whose contact details are still with the hospital will receive the review by September 30, 2021.
As a show of good faith to parties whose data was affected, UC San Diego stated that the firm would give one year of free credit monitoring and protection against identity theft using Experian Identity Works.
To prevent a similar attack from happening, the hospital also stated that it had taken proactive measures such as changing employee details and boosting security measures to protect the data of employees, patients and other stakeholders.
Offering Support to Affected Parties
UC San Diego Health also stated that it would be creating a call centre dedicated to providing answers to all queries regarding the incident. The call centre will be available at the same time that the reviews will be sent out to the affected parties.
The affected parties can place calls through the number 1-855-767-1160, which will be open between 6.00 a.m. to 5.00 p.m. from Monday to Friday and between 8.00 a.m. and 5.00 p.m. on Saturday and Sunday. Queries can also be sent through the hospital’s email, email@example.com.
A dedicated Experian representative on behalf of UC San Diego Health will be available to assist community members,” UC San Diego Health stated.
When providing the details of the data breach, the hospital also provided tips that would help the relevant stakeholders to beware of future attacks.
According to the statement provided by UC San Diego Health, the firm denied that the data breach was affiliated with Accellion file transfer appliance vulnerability. The vulnerability led to several cyberattacks.
However, UC San Diego has also been a victim of similar breaches in the past. In 2018, the hospital informed 619 patients that their data was compromised. This happened after a Nuance Communications attack, a third party transcription provider for medical records. However, the hospital has been prompt to inform patients of these breaches.
Two months back, Scripps Health was also victim to a similar data breach in May. However, the attack on Scripps Health involved ransomware and was targeted to the hospital’s technology systems. In the attack, personal information belonging to more than 147,000 patients, employees and students was compromised. If the trend continues, more health facilities could become victims.