The University of California San Diego Health reported that they were the victim of a phishing attack that led to a major network breach. The breach exposed the personal and medical data of students, employees, and patients, according to authorities. The organization released a notice on Wednesday that publicly disclosed the attack, which occurred between December of 2020 and April of 2021. Information exposed as a result of the phishing breach included dates of birth, email addresses, social security numbers, addresses, full names, and the dates and costs of medical services. UCSD Health stated that they reported the matter to the Federal Bureau of Investigation.
UCSD stated that it. plans on contacting individuals whose personal and medical data was exposed and will offer victims a year of free identity theft protection services. However, security experts explained that the potential risks associated with the exposed data could impact many of the victims for the next few years. UCSD stated that they are currently conducting a review and analyzing the data in the email accounts to ensure that they
“This process of analyzing the data in the email accounts is ongoing,” the notice said. “UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.”
Dangers of Stolen Data
Post investigation, UCSD Health said it will contact individuals whose personal data was exposed and offer them a year of free identity theft protection services. However, experts point out, the potential risks associated with this type of data loss could impact victims for years.
“Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions,” Robert Prigge, CEO of Jumio said. “It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”
James Carder CSO at LogRhythm added the data could be used in threats far more sinister than identity theft.
“They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made,” Carder said. “Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation states, terrorist groups, or other threat actors looking to do physical harm.”
Read More: UC San Diego Health Breach Tied to Phishing Attack