The UC San Diego Health system said that the email accounts of some of its employees were compromised.
UC San Diego Health is a leading health care system in San Diego. It has been ranked as the best hospital in the country multiple times. UC San Diego Health System consists of three hospitals and one medical center.
Jacqueline Carr, an executive at UC San Diego Health, confirmed that the incident was a phishing attack.
After being alerted about suspicious activity, UC San Diego Health discovered that unauthorized access had been made to some of its employee email accounts on April 8.
After learning about the breach, UC San Diego Health immediately terminated the unauthorized access and reported the incident to the FBI.
The attackers maintained access to the personal information of patients, employees, and students for four months, between December 2, 2020, and April 8, 2021, after a successful phishing attack. The information that was accessed includes: full name, address, date of birth, insurance information, claims information, medical records, and Social Security number.
Despite the fact that the attackers had access to the email accounts for over four months, an investigation did not reveal signs that they misused the information.
There is no evidence that the UC San Diego Health IT systems were compromised, “nor do we have any evidence at this time that the information has been misused,” the organization said in a statement.
“In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures.”
UC San Diego Health also advises rotating credentials and enabling multifactor authentication (MFA) for personal online accounts whenever possible.
After the investigation is concluded, UC San Diego Health will send out an update to affected individuals.