UC San Diego: Phishing Leads to Account Access for MonthsIntrusion Affects Patients, Employees and Students
UC San Diego Health says a phishing incident led to unauthorized access to an undisclosed amount of information on patients, employees and students for at least four months.
The California healthcare system, which includes four hospitals and more than a dozen clinics, says that on March 12, it was alerted to "suspicious activity" and immediately launched an investigation. On April 8, UC San Diego determined there was unauthorized access to some employee email accounts from Dec. 2, 2020, to April 8.
"We are aware that these email accounts contained personal information associated with a subset of our patient, student and employee community," UC San Diego Health says.
The healthcare provider organization says individuals' information that may have been accessed or acquired in the email account breach includes name, address, date of birth, email, fax number and claims information - including date and cost of health care services and claims identifiers, laboratory results, medical diagnoses and conditions, medical record numbers and other medical identifiers. Other potentially compromised data includes prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.
"There is no evidence that other UC San Diego Health systems were impacted, nor do we have any evidence at this time that the information has been misused," the health system says.
A UC San Diego spokeswoman tells Information Security Media Group that ransomware was not involved in the phishing incident. She did not immediately respond to ISMG's request for other details about the breach, including the number of individuals affected.
Jim Van Dyke, who tracks data breach trends as a senior vice president at security firm Sontiq, says the data potentially exposed in the UC San Diego incident "was as bad as they get for affected victims: a very rare 10 on our 1-10 scale of risk created for breach victims."
The potential exposure of Social Security numbers, driver’s license numbers and payment card information, in particular, poses serious risks of fraud, he says.
"It’s very rare to see this breadth of data records exposed because most organizations have safeguards in place to prevent any one individual from accessing such a wide variety of PII, PCI, and PHI data," he says.
Email remains the top attack vector for healthcare in businesses of all sizes, says Troy Gill, threat hunter and manager of Zix's AppRiver Threat Research Team. Healthcare organizations must ensure that their employees are familiar with how to spot phishing threats, he adds.
The phishing incident at UC San Diego is one of several reported in the healthcare sector in recent weeks.
For instance, Grapevine, Texas-based Academic HealthPlans, an administrator of student health plans, last week disclosed two email accounts were accessed as a result of a phishing campaign (see: Student Health Plan Vendor Breach Raises Regulatory Issues).
Chris Handy, a senior security analyst at the consultancy Pondurance, advises healthcare entities to take a number of critical steps to avoid falling victim to phishing scams.
"Enabling multifactor authentication for email will make unauthorized access difficult in the case of bad or stolen passwords being used," he notes.
"We also recommend having robust log analysis in place. These kind of events are detected by looking for combinations of successful logins from different - or unexpected - locations, changes to mailbox rules or other changes to user accounts."
Many of the latest phishing campaigns use documents hosted at legitimate sites as the bait, he notes. "We recommend to thoroughly train employees to make them question whether they really need to click on that link in an email - and then enter in their username and password in the box that pops up."
Another Major San Diego Attack
The disclosure of the UC San Diego Health phishing incident comes in the wake of a ransomware attack on another major San Diego-based healthcare provider.
In May, Scripps Health said an investigation into the incident discovered on May 1 determined that an "unauthorized person" gained access to its network, deployed malware and, on April 29, "acquired copies of some of the documents" containing patient information.
The incident, which Scripps Health later confirmed involved ransomware, disrupted patient services for weeks as the entity took its electronic health records, patient portal and other systems offline during its recovery. Clinicians had to resort to using paper records and other manual processes in patient care, and many appointments and procedures were postponed.
Several lawsuits have been filed against Scripps Health in the wake of that incident, which the entity reported as affecting the protected health information of nearly 150,000 individuals (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).