San Diego Health Data Breach Impacts Patients, Staff, Student PHI  

July 28, 2021 - UC San Diego Health announced a data breach that is impacting patients, students, and staff members’ Protected Health Information (PHI.)  

On July 27, UC San Diego Health published a notice announcing that employee email accounts had been hacked.  

“UC San Diego Health recently identified and responded to a security matter involving unauthorized access to some employee email accounts,” the notification states. “At no time was continuity of care for our patients affected by the event.” 

The hacking incident occurred between December 2, 2020 and April 8, 2021, according to the notice. 

The total number of impacted individuals is not known at this time.  "The investigation is ongoing,"  Jacqueline Carr, Executive Director of Communications and Media Relations for UC San Diego Health, said in a statement to HealthITSecurity. 

“When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,” the notice states. “UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged.” 

“This process of analyzing the data in the email accounts is ongoing,” the notification states. “UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.” 

“There is no evidence that other UC San Diego Health systems were impacted, nor do we have any evidence at this time that the information has been misused,” the statement notes.  

The PHI involved in the incident includes: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers,) laboratory results, medical diagnosis and conditions, medical record number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password, according to the notification.  

“UC San Diego Health is committed to safeguarding our community’s personal information,” the notice states. “Once the forensic review has concluded, UC San Diego Health will send individual notices to those students, employees, and patients whose personal information was contained in the accounts, where current contact information is available.” 

Impacted individuals will be eligible for one year of free credit monitoring and identity theft protection services.  

UC San Diego Health “has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures,” it noted. “While we have a number of safeguards in place to protect information from unauthorized access, we are also always working to strengthen them so we can stay ahead of this type of threat activity.” 

Individuals impacted by the data breach should monitor their financial statements, credit reports and explanation of benefits from health insurers for unauthorized activity.  

Impacted individuals will be notified by US Mail by September 30, according to the statement.  

For those with questions and concerns, a dedicated call center can be contacted at 855-797-1160 from 6:00 am to 8:00 pm PT, Monday through Friday, and from 8:00 am to 5:00 pm PT on weekends.