UC San Diego Health announces data breach of employee email accounts
SAN DIEGO (KUSI) – UC San Diego Health announced Tuesday that a data breach involving unauthorized access to employee email accounts may have led to personal information compromised for the health care system’s patients and employees.
Officials said the breach may have left protected information accessible between Dec. 2, 2020 and April 8, 2021.
According to a UCSD Health statement, during that timeframe “the following information may have been accessed or acquired: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.”
The accessed email accounts “contained personal information associated with a subset of our patient, student, and employee community,” according to the statement.
The health care system says it “terminated the unauthorized access to these accounts and enhanced our security controls” after the breach was discovered, though “at no time was continuity of care for our patients affected by the event.”
The incident was reported to the FBI, and UCSD Health says it is working with “external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged.”
A review was expected to be completed in September. Notices are expected to be sent to all affected individuals by Sept. 30.
Until then, a dedicated toll-free call center has been established to answer questions at 1-855-797-1160. It is available from 6 a.m. to 8 p.m. Monday through Friday and 8 a.m. to 5 p.m. Saturday and Sunday.
The breach follows a ransomware attack earlier this year involving Scripps Health, which the health care system later announced might have compromised the personal information of more than 147,000 people.