Advertisement
Share

UC San Diego Health is sued over data breach that may have exposed records of 500,000 patients

Jacobs Medical Center in La Jolla is part of UC San Diego Health.
(Eduardo Contreras / The San Diego Union-Tribune)

Lawsuit seeks class-action status in a case in which a phishing scam allowed access to a wide range of sensitive information.

UC San Diego Health faces a lawsuit over a data breach last winter and spring that potentially exposed sensitive information from nearly a half-million patients, employees and others connected with the health care system.

Lawyers representing an El Cajon cancer patient filed legal action this week in federal court in San Diego alleging negligence, breach of contract and violation of California consumer privacy and medical confidentiality laws. It seeks class-action status and unspecified damages for all people whose personal and medical information may have been compromised.

“Patients should trust that their most private medical results will not be made public and that their medical visits will not leave them at risk for identity theft,” said San Diego attorney Jason Hartley, who is working with lead counsel Stueve Siegel Hanson of Kansas City, Mo. “This breach was preventable had UC San Diego Health had the right data protection protocols in place.”

The lawsuit names the regents of the University of California, doing business as UC San Diego Health. A university representative declined to comment about pending litigation.

In July, the health care system announced on its website that hackers had used a phishing scam to gain unauthorized access to certain email accounts over a four-month period from Dec. 2 through April 8.

That opened the door to potential access to a wide range of personal and medical data. At the time, UCSD Health didn’t say how many people were affected, citing the ongoing investigation, which included reporting the breach to the FBI and working with external cybersecurity experts.

That probe is now complete. Beginning Sept. 7, UCSD Health began notifying the 495,949 individuals affected by the breach on a rolling basis where contact information is available, according to the representative.

Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription and treatment information, Social Security numbers, government and student identification numbers, financial account numbers, usernames and passwords are among the types of information that may have been accessed in the breach.

Medical records are particularly valuable to cybercriminals because they can be used to illegally buy prescription drugs or file bogus medical insurance claims, Hartley said. While a stolen credit card is easily canceled, medical data often contains more substantial personal information to open bogus credit accounts or take out fraudulent loans.

The lawsuit alleges that UCSD Health failed to implement reasonable security practices and adequately train employees on how to avoid phishing attacks, which attempt to trick employees into clicking on email links that install malicious code to penetrate an organization’s computer networks.

The lawsuit also alleges that the health care system lacked procedures to detect the intrusion quickly and took too long to notify victims. And it claims the data breach is a violation of the system’s responsibility to comply with the privacy and security rules related to the Health Insurance Portability and Accountability Act, or HIPPA.

UCSD Health has arranged for people whose data was potentially compromised to receive one year of free credit monitoring and identity theft protection services through IDX, a data breach remediation service. Its coverage includes a $1 million insurance reimbursement policy and fully managed identity theft recovery.

In addition, the system said it has enhanced security controls since the breach, including changing employee credentials, disabling access points on its network and enhancing security processes and procedures.

“While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity,” the system said in a statement. ◆