In July 2021, UC San Diego Health notified the public that it had been the victim of a four-month long phishing attack that gave hackers access to the protected health information of 495,949 patients. As a result, a health data breach lawsuit was filed alleging a violation of California Consumer Privacy Act, negligence, and breach of contract. The lawsuit seeks class-action status.
What Information Was Compromised?
When UC San Diego Health was targeted by a phishing attack, hackers were able to access patient protected health information. The information potentially compromised in the incident included patient names, dates of birth, addresses, email addresses, fax numbers, claims information, laboratory results, medical diagnoses and conditions, medical record numbers, prescription and treatment information, Social Security numbers, and financial account numbers. Other personal information that may have been exposed as a result of the phishing incident included government and student identification numbers, and usernames and passwords.
How Could the Breach Have Been Prevented?
According to the health data breach lawsuit, patients claim that UC San Diego Health neglected their responsibility to protect the privacy and security of their private information. Since the breach went undetected for so long the patients allege that, had UC San Diego Health implemented more sophisticated breach detection technology, the breach would have been detected sooner, mitigating the scope of the breach. The patients also claim that UC San Diego Health failed to provide them with timely notification that their information had been compromised since they did not start informing affected patients until five months after the breach was detected.
San Diego attorney Jason Hartley stated, “Patients should trust that their most private medical results will not be made public and that their medical visits will not leave them at risk for identity theft. This breach was preventable had UC San Diego Health had the right data protection protocols in place.”
Since discovering the breach, UC San Diego Health has implemented new security measures, “While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity,” the system said in a statement.
