Hackers breach UC San Diego hospital, gaining access to SSNs and medical info of patients, employees, and students

UC San Diego Health released a notice this week announcing that they suffered a breach that gave cyberattackers widespread access to information about patients, students and employees. 

UC San Diego Health’s executive director of communications and media relations Jacqueline Carr confirmed to ZDNet that the breach resulted from a phishing attack. 

From December 2, 2020 to April 8, 2021, hackers had access to data including names, addresses, claims information, laboratory results, medical diagnosis and conditions, Medical Record Numbers and other medical identifiers, prescription information, treatment information, medical information, Social Security numbers, government identification numbers, payment card numbers or financial account numbers and security codes, student ID numbers, and usernames and passwords.

In an FAQ attached to the notice, the hospital said it discovered suspicious activity on March 12 but it took until April 8 for its security team to officially identify it as “a security matter.”

The statement said the hackers gained control of employee email accounts for weeks before UC San Diego Health discovered the breach, terminated the accounts and contacted the FBI. A cybersecurity company is still investigating the incident and UC San Diego Health said the review will finish in September. 

“In addition to using sophisticated tools to parse and search the data, UC San Diego Health is also conducting a manual review of the affected data. This is a labor-intensive and time-consuming process that involves hundreds of hours of detailed review and analysis,” the hospital said.  

“In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures.”

The academic health system of the University of California, San Diego said it will send notices to the students, employees, and patients whose personal information was contained in the accounts by September 30. 

The hospital will offer free credit monitoring and identity theft protection services through Experian IdentityWorks for one year. 

A call center has been created for those who may be concerned about their information. Those affected can call 1-855-797-1160 from 6:00 a.m. to 8:00 p.m. PT Monday through Friday and from 8:00 a.m. to 5:00 p.m. PT Saturday and Sunday. Questions about the incident can also be sent to [email protected].

The statement from UC San Diego Health also took time to deny that this breach was connected to the Accellion file transfer appliance vulnerability, which led to dozens of cyberattacks. 

This is not the first time UC San Diego Health has had to inform patients about a breach. In 2018, the hospital told 619 patients that their data was accessed after an attack on Nuance Communications, a third-party medical transcription provider.