California Hospital Sued Over Massive Data Breach
A successful phishing attack on a healthcare professional employee resulted in a large data breach.
A data breach that may have exposed the personal information of almost 500,000 patients, staff, and students has led to legal action against a California academic healthcare institution.
In July, UC San Diego Health made a public notice about a security incident. Unauthorized access had been made to some employee email accounts between December 2, 2020, and April 8, 2021, according to the notification.
The health-care provider stated "When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,"
The intrusion happened as a result of a phishing attack on a health-system employee's email account, according to Infosecurity Magazine. It was determined on March 12th that there was suspicious activity in the system's network, and on April 8th, the compromised email accounts were shut down.
When it became known that 495,949 people's contact information had been compromised, UC San Diego Health began alerting them as soon as possible on September 7.
According to the health system, the attack may have exposed and exfiltrated data such as:
- Full names
- Dates of birth
- Addresses
- Fax numbers
- Email addresses
- Claims information including dates and costs of care received
- Laboratory results
- Medical diagnoses and conditions
- Medical record numbers
- Government identification numbers
- Social Security numbers
- Prescription information
- Treatment information
- Financial account numbers
- Student identification numbers, usernames, and passwords
UC San Diego Health is being sued by lawyers representing an El Cajon, California, cancer patient who was harmed by the data leak, according to the San Diego Union-Tribune. Health-care system accused of breach of contract, carelessness, and violation of consumer privacy and medical confidentiality rules in California, according to plaintiff.
When it comes to phishing attempts, according to the lawsuit, the healthcare system did not effectively train personnel on how to avoid them or adopt reasonable security measures.
An undetermined amount of damages is being sought on behalf of all persons whose personal information and medical data may have been leaked.