UC San Diego Health announces data breach impacting patients, employees, and students
From their substitute notice of July 27, 2021:
To the UC San Diego Health community:
UC San Diego Health recently experienced a security event involving unauthorized access to some employee email accounts. This notice provides up-to-date information on what happened and what we are doing.
When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls. UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged. This process of analyzing the data in the email accounts is ongoing. UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.
There is no evidence that other UC San Diego Health systems were impacted, nor do we have any evidence at this time that the information has been misused.
While the investigation is ongoing, UC San Diego Health is notifying the community of what personal information may have been involved. Between December 2, 2020 and April 8, 2021, the following information may have been accessed or acquired: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.
You can read the rest of their substitute notice on their web site.