UC San Diego Health Breach Tied to Phishing Attack

Employee email takeover exposed personal, medical data of students, employees and patients.

Authorities at the University of California San Diego Health reported a phishing attack led to a major breach of its network, which allowed an adversary to gain access to sensitive patient, student and employee data.

A Wednesday notice from UCSD Health explains the attack occurred between Dec. 2, 2020 and April 8, 2021 and exposed personal information including full names, addresses, date of birth, email, social security number and the date and cost of medical services.

UCSD Health said the matter was referred to the Federal Bureau of Investigation.
“This process of analyzing the data in the email accounts is ongoing,” the notice said. “UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.”

Dangers of Stolen Data

Post investigation, UCSD Health said it will contact individuals whose personal data was exposed and offer them a year of free identity theft protection services. However, experts point out, the potential risks associated with this type of data loss could impact victims for years.

“Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions,” Robert Prigge, CEO of Jumio said. “It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”

James Carder CSO at LogRhythm added the data could be used in threats far more sinister than identity theft.

“They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made,” Carder said. “Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation states, terrorist groups, or other threat actors looking to do physical harm.”

Healthcare Diagnosis: Weak Security

Still, despite the rising number of attacks against the health care sector throughout the COVID-19 pandemic, medical cybersecurity hasn’t kept apace, said Anurag Kahol, CTO and Cofounder of Bitglass.

Kahol points out between 2019 and 2020 the number of healthcare breaches spiked by 55.1 percent.

“Due to the massive amounts of personal health information (PHI) healthcare institutions store in their systems, the sector as a whole must take a more vigilant approach to security,” Kahol said. “As such, these organizations must leverage a Zero Trust framework to ensure all their resources and data are granularly secure. Additionally, deploying multi-faceted cybersecurity platforms that include data loss prevention (DLP), multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) can provide them with full visibility and control over their entire network.”

Regardless of the approach, it’s evident healthcare organizations need better cybersecurity than basic firewall and employee awareness training. A recent Cloudian report found 65 percent of organizations that fell victim to phishing attacks had previously conducted employee cybersecurity training.

Alicia Townsend, technology evangelist, OneLogin pointed out that UCSD Health, in its public breach notification statement, suggested that even basic user training was lacking.

“UC San Diego Health has stated that they have taken steps to enhance their security processes and procedures,” Townsend said.  “But even they admit that they need the ‘community to remain alert to threats.’ We have stated it before, and it needs to be stated again: healthcare institutions must implement security training for all of their users. Everyone needs to be educated on how to spot phishing attempts, how to keep their passwords secure, the importance of using additional authentication factors, and what to do in case they suspect an attack.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 a.m. EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11 a.m. EST for this LIVE discussion.

Suggested articles