UC San Diego Health confirmed Tuesday it had fallen prey to a data breach involving “unauthorized access to some employee email accounts.” Here’s what we know about what the health group is calling a “security matter.”
UC San Diego Health posted this notice Tuesday outlining details of the data breach.
The health group said some employee email accounts had been impacted in the security incident but added: “At no time was continuity of care for our patients affected by the event.”
“When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,” the notice released by UC San Diego Health read. “UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged.”
Get San Diego local news, weather forecasts, sports and lifestyle stories to your inbox. Sign up for NBC San Diego newsletters.
UC San Diego Health said the investigation is ongoing as to which data was impacted but added:
“At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community.”
The health group said the review was expected to be completed in September.
Meanwhile, UC San Diego Health said there is no evidence that other UC San Diego Health systems were impacted or that any information obtained in the breach has been misused.
What Information Was Involved? And When?
UC San Diego Health said this case involves data breached between Dec. 2, 2020, and April 8, 2021. The health group said this type of information may have been accessed or acquired:
- Full name
- Date of birth
- Fax number
- Claims information (date and cost of health care services and claims identifiers)
- Lab results
- Medical diagnosis and conditions
- Medical Record Number and other medical identifiers
- Prescription information
- Treatment information
- Medical information
- Social Security number
- Government identification number
- Payment card number or financial account number and security code
- Student ID number
- Username and password
UC San Diego Health said that once the forensic review of the breach is completed, the health group will send personal notices to those students, employees, and patients whose personal information was contained in the accounts – so long as current contact information for those who are impacted is available.
Those notices would be sent by Sept. 30, 2021, UC San Diego Health said.
UC San Diego Health said it will offer one year of free credit monitoring and identity theft protection services through Experian IdentityWorks to individuals whose data was impacted.
At this point, UC San Diego Health said it has taken “remediation measures” including changing employee credentials and enhancing security procedures.
What If Your Data Was Impacted?
In addition to the data breach notices UC San Diego Health plans to send out, the health group said it has established a call center to answer questions about the security incident.
The number for the center is 1 (855) 797-1160; it’s open Monday through Friday from 6 a.m. to 8 p.m. PT, and from 8 a.m. to 5 p.m. PT on weekends.
“A dedicated Experian representative on behalf of UC San Diego Health will be available to assist community members,” UC San Diego Health said.
The health group offered other tips about credit reports, fraud alerts, and security freezes in its notice about the data breach.
The news comes two months after Scripps Health announced “ransomware attacks” targeted its technology systems in May. The health care group later announced over 147,000 patients, students and physicians might have had their personal and financial information compromised in the cyberattack.