Cybercriminals recently hacked into the email accounts of staff at UC San Diego Health, potentially thieving extensive financial and medical information from its patients and employees.
The hospital, which is the academic health system for the college that shares its name, put out a statement Tuesday about an incident in which someone had gained “unauthorized access to some employee email accounts.” The attack was apparently the result of a successful phishing operation. Hackers used an old trick: the deployment of lookalike web addresses, styled in the format of the hospital’s own site. When duped staff typed in their login credentials to the phony webpages, criminals were there to harvest them.
The hacker or hackers were inside the email accounts for approximately four months, from December 2, 2020, to April 8, 2021, during which time they had access to the “personal information associated with a subset of our patient, student, and employee community,” the firm said, though it hasn’t revealed just how many people have been affected.
The hospital learned of suspicious activity as early as March but apparently took a month to determine that the accounts had, indeed, been hacked. We reached out to UC San Diego for further details and will update this story if they respond.
As to the information that has been compromised, holy shit, it’s pretty extensive. The hospital says the breach may have included:
full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.
That kind of sounds like... uh, everything.
The hospital says that it has contacted law enforcement and is working diligently to understand the full scope of the breach. It plans to notify patients who were personally affected by September 30. “UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged,” the medical facility said.
The whole thing is a real bummer but UC San Diego Health is not alone. Cyberattacks on hospitals have picked up in recent years—with the trend becoming particularly pronounced during the onset of the pandemic last year. As giant warehouses of personal information, medical facilities are natural targets for hackers, whose entire black market business model revolves around finding and selling ill-gotten data. Problematically, the healthcare sector has also been found to have pretty overt shortfalls when it comes to IT security, making the industry a perfect storm for today’s ever escalating cyber woes.