More than 160,000 affected by data breach at UC Berkeley

Hackers had access to a database for about six months at the University of California at Berkeley and stole health-related data on more than 160,000 students and other people who used the school’s health services center. College officials said that the attack on the health center’s database was discovered last month and that they are just now beginning to notify the affected people.

Hackers had access to a database for about six months at the University of California at Berkeley and stole health-related data on more than 160,000 students and other people who used the school’s health services center. College officials said that the attack on the health center’s database was discovered last month and that they are just now beginning to notify the affected people.

In a statement released Friday, Berkeley officials said that the attack did not affect the database that houses the University Health Services medical records, which includes information on patient diagnoses, treatment and therapy. Instead, the attackers went after a machine storing other personally identifiable information, including Social Security numbers and health insurance information.

The attack, which affects students, alumni and some parents of students, depending on how the health care coverage was set up, netted records going back to 1999, the school said.

“The server breach began on Oct. 9, 2008, and continued until April 9, 2009, when campus computer administrators performing routine maintenance identified messages left by the hackers. Administrators immediately activated an emergency security incident team to investigate the scope and impact of the breach; evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server,” the Berkeley statement says.

Although the attackers did not get into the main health record database, according to Berkeley, they may have gotten access to some students’ health histories.

“The hackers may have stolen information related to health insurance coverage and some medical information such as one’s immunization history, UHS medical record number, dates of visits or names of providers seen or, for a student participating in UC Berkeley’s Education Abroad Program, certain information from his or her self-reported health history,” the statement said.

*Composite image via Shazari‘s Flickr photo stream.

Suggested articles

Report warns of ‘web bugs’ and privacy violations

Researchers at the University of California, Berkeley’s School of Information has released a report showing that the most popular Web sites in the United States all share data with their corporate affiliates and allow third parties to collect information directly by using tracking beacons known as “Web bugs” – despite the sites’ claims that they don’t share user data with third parties.  Read the announcement [berkeley.edu].  Download the full report [knowprivacy.org].

The Berkeley breach: Is SaaS the answer?

By Don Leatham

One recent Friday afternoon I took time off to visit two new health providers:  a new dentist (nearer my home) and an orthopedic (to look at my lateral epicondylitis).  In both cases, as a new patient, I filled in page after page of medical history and personal information, including my Social Security Number.   I did pause, but I have to admit I wrote it down both times (I’ve grown weary of the discussions/arguments that ensue if I don’t – I’ve even been denied service from a healthcare provider who felt my SSN was their only tool, should I decide not to pay).

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.