UC San Diego Health announced on July 27, 2021, that the health care provider experienced unauthorized access to employee email accounts. According to a press release issued on this date, patients’ continuity of care did not suffer as a result of the security event.
An individual with a UC San Diego Health email account responded to a phishing attempt, thereby initializing the infiltration, according to The San Diego Union-Tribune’s coverage of the breach.
The university-based health care system’s security team responded to the security threat by terminating the unauthorized access, enhancing security controls, and reporting the matter to the Federal Bureau of Investigations (FBI). Outside cybersecurity experts have stepped in to help the organization investigate the breach and identify all impacted data. UC San Diego Health reports that as of this writing, they have identified a “subset of our patient, student, and employee community” as a group whose personal information was contained in the affected email accounts.
Potentially Exposed Data
From December 2, 2020, to April 8, 2021, hackers might have accessed or acquired the following types of personal information:
- Full name
- Date of birth
- Fax number
- Claims information
- Lab results
- Medical diagnosis and conditions
- Medical Record Number (and other medical identifiers)
- Prescription information
- Treatment details
- Medical information
- Social Security number
- Government ID number
- Payment card number/financial account number and security code
- Student ID number
- Username and password
Concerns About Notification Dates
The Breach Notification Rule of the Health Information Portability and Accountability Act specifically requires organizations that experience a data breach to notify affected individuals “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” UC San Diego Health confirmed this breach on May 25, 2021.
UC San Diego Health plans to notify all people whose data was accessed by September 30, 2021. The health system explained the disconnect between notification requirements established by federal law and the organization’s slated notification date as stemming from cautious diligence. This concern may or may not warrant such a prolonged delay in the eyes of individuals who now sit in worry over whether their data and privacy have been compromised.
The health care provider also intends to give affected individuals a free year of credit monitoring and identity theft protection services through Experian IdentityWorks. In the meantime, the organization suggests that people connected with the health care provider—whether as a patient, student, or employee—be vigilant in monitoring their financial statements credit reports, and insurance providers’ explanations of benefits (EOBs) for any suspicious or unauthorized activity.
UC San Diego Health administrators say the organization’s forensic review will wrap up in September. The organization has set up a call center dedicated to answering questions about this data breach. Individuals with questions can call the toll-free number at 1-855-797-1160. Those concerned can also visit an FAQ website created to address the most common questions related to the security event.
Evaluations for Class-Action Lawsuit Commence
Although UC San Diego Health reports they have no evidence to date “that the information has been misused,” this could change at any moment.
The attorneys at Levin, Papantonio, Rafferty, Proctor, Buchanan, O’Brien, Barr, & Mougey, P.A. are investigating potential claims against UC San Diego Health. The legal team invites individuals who believe they have been harmed or could suffer harm as a result of this data breach, to contact the law firm. Upon review of the facts, attorneys will determine callers’ eligibility to participate in a class-action lawsuit against the health system.