UC San Diego Health data breach and the investigation in place

The academic health system of the University of California, the UC San Diego Health has disclosed a data breach when their employees email accounts were compromised. It is one of the best hospitals in the country, with UC San Diego Medical Center, Sulpizio Cardiovascular Center, Jacobs Medical Center all under the same healthcare license with a capacity for 808 beds in total.

As per the statement made by Jacqueline Carr, Executive Director of Communications and Media Relations the data breach has happened via a phishing attack.

More details on the UC San Diego Health data breach

After discovering compromised email accounts on April 8th, with a suspicious activity on March 12th, US San Diego Health have reported the event to law enforcement and the FBI. With proper investigation it seems the attackers might have accessed the personal data of patients and employees from Dec 02, 2021 to April April 08, 2021 via a phishing campaign.

Thought the access was there, until now the threat actors haven’t utilized the stolen information for further breaches, personal data that was accessed includes, Name, Address, Date of Birth, Email, Fax Number, Claims information, Patient Conditions, Medical Diagnosis, Lab results, Social Security Number, Government Identification Number, Payment Card Number and Financial Account Number, Security Code, Account Credentials and Student ID number.

At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. We estimate this review will be complete in September.  – UC San Diego Health

How is UC San Diego Health preparing to handle the situation?

The hospital has warned its community members to be cautious of potential identity theft and fraudulent activities due to the compromised personal data. It has mentioned the following in its FAQ page,

 You can do this by regularly reviewing and monitoring your financial statements, credit reports, and Explanations of Benefits (EOBs) from your health insurers for any unauthorized activity  – UC San Diego Health

The hospital is also enforcing MFA for personal profiles as and when applicable. After the investigation gets completed in September 2021, the hospital will notify the individuals about the data breach and do the necessary procedure to keep the stakeholders updated about the latest count of accounts compromised. It has also updated 610 patients regarding the data breach that occurred in 2018, due to Nuance communication.