UC Davis Health announced today that it is in the process of notifying approximately 15,000 patients of a breach of an employee’s email account as a result of a phishing scam. Though there is no indication that the breach resulted in the actual acquisition of or access to personal or medical information, out of an abundance of caution, the university is notifying patients whose information was stored in the account.
The employee has helped with informational and event mailings on behalf of UC Davis Health, and in this role received limited information about some patients, including name, address, phone number and, in some cases, medical record number, diagnosis and social security number. For this reason, the health system is providing identity- and credit-protection options to those individuals whose sensitive personal information was stored on the system, even though there is no current indication that their information was viewed or accessed.
Investigation of the incident is ongoing. It is clear, though, that a phishing email was sent to the employee on May 15, 2017. Upon gaining access to the email account, the intruder posed as the account owner and sent emails to other UC Davis Health employees on May 17, 2017, making fraudulent requests for large transfers of funds. Health system staff quickly recognized the scam and promptly notified the university’s data security team, which took swift action to secure the account and prevent further threats from the intruder.
The UC Davis email system utilizes security measures designed to prevent spam and phishing, and to detect intrusions. Additionally, mandatory annual cybersecurity training and frequent reminders are designed to maintain awareness among members of the health system about the evolving threats. As part of the ongoing investigation, UC Davis Health is evaluating the need for additional security monitoring or education initiatives.
UC Davis Health has notified, or will be notifying, several government agencies about the breach, including the California Department of Public Health, the California Office of the Attorney General, and the U.S. Department of Health and Human Services’ Office for Civil Rights.
Patients with questions about the incident can call 855-216-0658 for additional information.