UC San Diego Health announces data breach

Staff members take a COVID-19 patient to intensive care at UCSD Health's Jacobs Medical Center in La Jolla in June 2020.
Staff members take a COVID-19 patient to the intensive care unit at UC San Diego Health’s Jacobs Medical Center in La Jolla in June 2020.
(Nelvin C. Cepeda / The San Diego Union-Tribune)

Protected information of an as-yet-undisclosed number of patients, employees and others connected to UC San Diego Health was potentially compromised from Dec. 2 through April 8, according to a public notice posted on the provider’s website July 27.

The notice indicates that the breach occurred via “unauthorized access to some employee email accounts” but says it did not affect the “continuity of care for our patients.”

Officials confirmed that the incursion occurred after someone with a health system email account responded to a “phishing” attempt. The tactic involves tricking employees or other trusted individuals inside an organization to unwittingly type their log-in credentials or other sensitive information into look-alike websites controlled by hackers.

A UCSD Health representative said ransomware — software often used to extort money from an organization — was not involved, unlike when the Scripps Health system was struck by a ransomware attack in May.

UCSD Health was alerted to “suspicious activity” in its digital systems on March 12 and identified and shut down compromised email accounts on April 8, but did not confirm that protected health information had been compromised until May 25. An investigation — said to be continuing — has discovered that the accounts “contained personal information associated with a subset of our patient, student and employee community.”

The health system declined to say how many individuals are affected.

Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords are said to be among the types of information that “may have been accessed or acquired.”

Earlier this year, the University of California notified thousands that many of its campuses were infiltrated through outdated file transfer software made by Accellion Inc. That breach, however, did not affect UC San Diego Health and did not involve medical information.

For Accellion, and now for the new health system breach, the university is offering free credit monitoring and identity theft protection for those who have been affected.

Scripps Health found itself taking similar steps in late May after notifying the public that the month-long ransomware attack potentially compromised the protected information of more than 147,000 people.

Scripps was forced to take down the bulk of its digital systems for most of May, dramatically affecting everything from its ability to confirm existing appointments to diverting ambulances from hospitals that lost access to its digital medical records system.

Though the UCSD Health breach did not similarly disrupt care, many now face the uncomfortable reality that their sensitive medical information may be in the hands of hackers, despite assurances that, so far, there are no indications “that the information has been misused.”

UC San Diego Health indicated that it will begin notifying students, patients and employees that their records were compromised once its “forensic review has concluded.” It expects to send notices to all impacted individuals by Sept. 30.

For UCSD Health patients, students and staff, that may seem like a long time to wait, given that data loss was confirmed May 25. In a follow-up statement, the health system said it is holding off on notification out of an abundance of caution.

“We want to ensure that when we send notifications to individuals, the letter each individual receives accurately reflects the information that was potentially impacted for that specific individual,” UCSD Health said in an email.

It isn’t clear whether a desire for completeness is considered a valid reason to delay notification of people affected by a data breach. Federal law, namely the Breach Notification Rule of the Health Information Portability and Accountability Act, requires affected individuals to be notified “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” ◆