An academic healthcare system in California is facing legal action over a data breach that potentially exposed the information of nearly half a million patients, employees, and students.
UC San Diego Health disclosed a security incident in July via a public notice. The notice indicated that unauthorized access to “some employee email accounts” had taken place from December 2, 2020, to April 8, 2021.
The incursion occurred after an employee with a health-system email account took the bait proffered in a phishing attack. Suspicious activity was detected in the system’s network on March 12 and compromised email accounts were shut down on April 8.
“When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,” said the healthcare provider.
The health system said that data potentially accessed and exfiltrated in the attack might include the full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results. Other information might include medical diagnoses and conditions, medical record numbers, prescription information, treatment information, social security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords of a “subset of our patient, student and employee community.”
On September 7, UC San Diego Health began notifying 495,949 individuals — where contact information was available — that they may have been affected by the breach.
The San Diego Union-Tribune reports that lawyers representing a cancer patient from El Cajon filed a suit last week against UC San Diego Health over the data breach. The plaintiff has accused the healthcare system of breach of contract, negligence and violating California consumer privacy and medical confidentiality laws.
“This breach was preventable had UC San Diego Health had the right data protection protocols in place,” said San Diego attorney Jason Hartley.
The plaintiff asserts that the healthcare system failed to adequately train employees on how to avoid phishing attacks and neglected to implement reasonable security practices.
The suit is seeking class-action status and unspecified damages for all the individuals whose medical data and personal information may have been exposed.