UC San Diego Health Sued Over Healthcare Data Breach

September 30, 2021 - UC San Diego Health is facing a lawsuit after a healthcare data breach spanning from December 2020 to April 2021 impacted almost 500,000 individuals. Lawyers filed the suit in San Diego federal court on behalf of a patient alleging breach of contract, negligence, and violation of California consumer privacy and medical confidentiality laws, The San Diego Union Tribune reported.

UC San Diego posted an announcement on its website in July informing patients that hackers had successfully conducted a phishing attack and gained unauthorized access to employee email accounts.

The breach may have exposed personally identifiable information (PII) and protected health information (PHI), including full names, birth dates, email addresses, fax numbers, addresses, medical diagnoses, medical record numbers, lab results, Social Security numbers, prescription information, government identification numbers, financial account numbers, student identification numbers, usernames, and passwords.

“When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls,” the July statement explained.

“UC San Diego Health reported the event to the FBI and worked with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged, moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted.”

The health system began sending written notices to patients on September 9, 2021.

The lawsuit, which seeks class-action status, alleges that UC San Diego Health failed to implement adequate security practices and train employees on how to prevent phishing attacks.

The suit also argues that the health system failed to detect the breach for months due to insufficient security measures. In addition, the plaintiff alleges that UC San Diego Health violated HIPAA by failing to comply with privacy and security rules.

“As a result of UC San Diego Health’s failure to protect the sensitive information it was entrusted to safeguard, Plaintiff and class members did not receive the benefit of their bargain with UC San Diego Health and now face a significant risk of medical-related identify theft and fraud, financial fraud, and other identity-related fraud now and into the indefinite future,” the filing stated.

Phishing attacks continue to be a major threat to the healthcare sector. Under HIPAA, healthcare organizations are required to train employees on the risks of data breaches and how to maintain proper cyber hygiene.

“Patients should trust that their most private medical results will not be made public, and that their medical visits will not leave them at risk for identity theft,” Jason Hartley, a San Diego attorney who is working with lead counsel Stueve Siegel Hanson on the lawsuit, told The San Diego Union Tribune.

“This breach was preventable — had UC San Diego Health had the right data protection protocols in place.”

UC San Diego Health said in a statement that it has since enhanced its security controls and will provide complimentary credit monitoring and identify theft protection services to impacted individuals. In addition, the health system pledged to change employee email credentials, disable access points, and implement stronger security procedures.