The growing value of information is increasing the incentive of hackers to obtain data from both individuals and organizations. These incidents include ransomware attacks in which the perpetrator encrypts the victim’s data or threatens to publish that data unless the victim pays a ransom. Another tactic is to simply sell the information, either to a specific party or the highest bidder.
The data breach at UC San Diego Health (UCSDH) is one of the most recent of these attacks and is especially significant due to the large number of protected health information (PHI) records involved.
Timeline
The investigation is still ongoing, but the most current information shows that the breach began as early as December 2, 2020. UCSDH received a preliminary report of the attack on March 12, 2021 and launched an investigation that verified the attack on April 8, 2021, at which point the attacker’s access to UCSDH systems was terminated. UCSDH announced the breach on July 27, 2021, which was being widely reported by major media outlets by July 30, 2021.
Investigation
As is normally the case, the UCSDH didn’t immediately disclose the data breach to the public. Instead, it reported the matter to the FBI and continued its internal investigation. Once the breach was publicly disclosed, the UCSDH also began directly informing affected individuals of the breach. In addition, UCSDH has promised to provide free credit monitoring and identity theft prevention services to affected individuals one it has completed its investigations. UCSDH has also urged all users to changed their passwords and begin using multi-factor authentication (MFA) to access their accounts.
Method of Attack
The method of attack for the UCSDH data breach was a phishing scheme against the email accounts of UCSDH employees. Details of the attack haven’t been released yet, but it generally involves sending emails to the target addresses purporting to be sent by someone the victim has reason to trust. It usually informs the victim that one of their accounts may have been compromised and requests the victim to log on to that account to verify their information via a link in the email.
However, this link leads to a login page that the hacker controls, although it resembles the actual login page as closely as possible. If the victim attempts to log in to the false page, the hacker will then have the victim’s login information. From there, the hacker can use that information to login to the real account.
Information Disclosed
This data breach resulted in the disclosure of personal information of UCSDH patients, employees and students including the following:
- Full name
- Address
- Date of birth
- Fax number
- Social Security number
- Student ID number
- Username and password
In addition, the breach also compromised the PHI of affected UCSDH members, including claims information such as the date and cost of health care services received. It also disclosed Medical Record Numbers (MRNs), along with medical conditions, laboratory results, diagnoses, treatments and prescriptions. Financial information was another type of data involved in the breach, including payment card number, financial account numbers, security codes and other payment information.
The UCSDH breach illustrates the need to remain alert to the possibility of identity theft. The best defense against this type of activity is to monitor your health and financial accounts regularly for signs of unexpected activity. You should also contact the company maintaining that account as soon as possible when you suspect your account has been compromised.
Data Breach flickr photo by EpicTop10.com shared under a Creative Commons (BY) license
