Pages

Wednesday, July 28, 2021

A breach beyond the breach

From the San Diego Union-TribuneAn as-yet-undisclosed number of patients, employees and others connected to UC San Diego Health potentially had their protected information compromised from Dec. 2 through April 8, according to a public notice posted on the provider’s website midday Tuesday. The notice indicates that the breach occurred via “unauthorized access to some employee email accounts,” but says it did not affect the “continuity of care for our patients.”

Officials confirmed Tuesday that the incursion occurred after someone with a health system email account responded to a “phishing” attempt. The tactic involves tricking employees or other trusted individuals inside an organization to unwittingly type their log-in credentials or other sensitive information into look-alike websites controlled by hackers. A UCSD Health spokesperson said Tuesday that ransomware, software often used to extort money from an organization, was not involved.

UCSD Health was alerted to “suspicious activity” in its digital systems on March 12 and identified and shut down compromised email accounts on April 8, but did not confirm that protected health information had been compromised until May 25. An investigation — said to be ongoing — has discovered that the accounts “contained personal information associated with a subset of our patient, student and employee community.” The health system declined to say how many individuals are affected.

Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords are said to be among the types of information that “may have been accessed or acquired.”

The attack comes not long after the University of California notified thousands that many of its campuses were infiltrated through outdated file transfer software made by Accellion Inc. That breach, however, did not affect UC San Diego Health and did not involve medical information. For Accellion, and now for the new health system breach, the university is offering free credit monitoring and identity theft protection for those who have been affected...

Full story at https://www.sandiegouniontribune.com/news/health/story/2021-07-27/uc-san-diego-health-announces-data-breach.

No comments: