Data Breach at UC San Diego Health Exposes PII
Table of Contents
- By Dawna M. Roberts
- Published: Aug 10, 2021
- Last Updated: Mar 18, 2022
The weakest link of any company is an untrained employee unaware of the dangers of ignoring cybersecurity best practices. This is the case with UC San Diego Health that suffered a data breach that lasted four months, exposing medical information for employees, patients, and students.
What Happened?
Threatpost reported this week that a phishing campaign was the cause of a significant cybersecurity attack on UC San Diego Health which occurred between Dec 2, 2020, and April 8, 2021. UC San Diego Health posted a public notice on Wednesday that revealed the details and that personal information such as names, email addresses, social security numbers, dates of birth, and some dates and of medical services along with the cost was exposed for a four-month-long excursion.
UCSD immediately involved the Federal Bureau of Investigations (FBI), and that agency is now handling the investigation.
In its notice to the public, UCSD said, “This process of analyzing the data in the email accounts is ongoing. UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.”
UCSD’s Response
UC San Diego Health has decided to wait until the investigation is complete before notifying data breach victims. Upon doing so, the company will offer them a year of identity theft protection. Unfortunately, with the personally identifiable information (PII) stolen, victims may experience identity theft and other types of fraud before the investigation is over and, as Threatpost comments, “for years to come.”
Threatpost expands on that by saying “Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions,” Robert Prigge, CEO of Jumio said. “It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”
As if that wasn’t scary enough, the more emergent danger for victims is that “They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made. Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation-states, terrorist groups, or other threat actors looking to do physical harm.”
UCSD has committed to better security and confirms that they have already taken steps to improve the safety of patient, employee, and student records.
Healthcare Organizations Still a Target
With the pandemic came a flood of cyberattacks, many of them targeted medical providers, and hackers have amassed millions of medical records selling for top dollar on the dark web.
These attacks illuminate the real problem that the healthcare industry is ill-equipped with inferior security measures to handle any type of cybersecurity intrusion.
Threatpost expands on this
“Due to the massive amounts of personal health information (PHI) healthcare institutions store in their systems, the sector as a whole must take a more vigilant approach to security. As such, these organizations must leverage a Zero Trust framework to ensure all their resources and data are granularly secure. Additionally, deploying multi-faceted cybersecurity platforms that include data loss prevention (DLP), multi-factor authentication (MFA), and user and entity behavior analytics (UEBA) can provide them with full visibility and control over their entire network.”
Along with better security, all private organizations need better employee training. According to cybersecurity experts, more than 65% of attacks are due to phishing campaigns and ignorant employees clicking links when they shouldn’t or providing credentials to total strangers.