“UC San Diego Health reported the event to the FBI and is working with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged,” said health system officials in the notice.
The hackers had access to lots of data, including:
- full name
- date of birth
- fax number
- claims information (date and cost of health care services and claims identifiers)
- laboratory results
- medical diagnosis and conditions
- Medical Record Number and other medical identifiers
- prescription information
- treatment information
- medical information
- Social Security Number
- government identification number
- payment card number or financial account number and security code
- student ID number
- username and password
This was all the result of an apparent successful phishing attack, with a notice from the hospital stating someone had gained “unauthorized access to some employee email accounts.” This security breach remained unidentified for over four months.
The cybercriminals used an old but extremely effective tactic, the use of a fake landing (login) page, which looks identical to that of the hospital’s. Employees then simply input their credentials which are then harvested by the hacker.
As giant warehouses of personal information, medical facilities are natural targets for hackers, whose entire black market business model revolves around finding and selling ill-gotten data. Problematically, the healthcare sector has also been found to have pretty overt shortfalls when it comes to IT security, making the industry a perfect storm for today’s ever escalating cyber woes.
Are your employees well enough trained to spot phishing scams such as this one? Find out today in our Free Click-Prone® Test.