Data Breach at UC San Diego Health Exposes PII

  • By Dawna M. Roberts
  • Published: Aug 10, 2021
  • Last Updated: Mar 18, 2022

 The weakest link of any company is an untrained employee unaware of the dangers of ignoring cybersecurity best practices. This is the case with UC San Diego Health that suffered a data breach that lasted four months, exposing medical information for employees, patients, and students.

What Happened?

Threatpost reported this week that a phishing campaign was the cause of a significant cybersecurity attack on UC San Diego Health which occurred between Dec 2, 2020, and April 8, 2021. UC San Diego Health posted a public notice on Wednesday that revealed the details and that personal information such as names, email addresses, social security numbers, dates of birth, and some dates and of medical services along with the cost was exposed for a four-month-long excursion.

UCSD immediately involved the Federal Bureau of Investigations (FBI), and that agency is now handling the investigation.

In its notice to the public, UCSD said, “This process of analyzing the data in the email accounts is ongoing. UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.”

UC San Diego Data Breach

UCSD’s Response

UC San Diego Health has decided to wait until the investigation is complete before notifying data breach victims. Upon doing so, the company will offer them a year of identity theft protection. Unfortunately, with the personally identifiable information (PII) stolen, victims may experience identity theft and other types of fraud before the investigation is over and, as Threatpost comments, “for years to come.”

Threatpost expands on that by saying “Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions,” Robert Prigge, CEO of Jumio said. “It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”

As if that wasn’t scary enough, the more emergent danger for victims is that “They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made. Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation-states, terrorist groups, or other threat actors looking to do physical harm.”

UCSD has committed to better security and confirms that they have already taken steps to improve the safety of patient, employee, and student records.

Healthcare Organizations Still a Target

With the pandemic came a flood of cyberattacks, many of them targeted medical providers, and hackers have amassed millions of medical records selling for top dollar on the dark web.

These attacks illuminate the real problem that the healthcare industry is ill-equipped with inferior security measures to handle any type of cybersecurity intrusion.

Threatpost expands on this

“Due to the massive amounts of personal health information (PHI) healthcare institutions store in their systems, the sector as a whole must take a more vigilant approach to security. As such, these organizations must leverage a Zero Trust framework to ensure all their resources and data are granularly secure. Additionally, deploying multi-faceted cybersecurity platforms that include data loss prevention (DLP), multi-factor authentication (MFA), and user and entity behavior analytics (UEBA) can provide them with full visibility and control over their entire network.”

Along with better security, all private organizations need better employee training. According to cybersecurity experts, more than 65% of attacks are due to phishing campaigns and ignorant employees clicking links when they shouldn’t or providing credentials to total strangers.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close