PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack

University of California Davis Health is alerting almost 15,000 patients that their PHI may have been viewed as a result of an employee falling for a phishing scam.

The incident occurred on May 15, 2017. A phishing email was sent to a UC Davis Health employee who responded and unwittingly gave the attacker login credentials to his/her email account. That email account was accessed by the attacker on May 17.

It is possible that the attacker accessed the employee’s email messages and viewed and/or obtained patients’ PHI. The investigation did not uncover any evidence to suggest that any patients’ PHI was viewed, although it was not possible to rule out the possibility with a high degree of confidence.

On May 17, the attacker used the email account to send emails to other staff members requesting bank transfers for large sums of money. The emails were recognized as fraudulent and were reported to the data security team which secured the email account to prevent further access. Since access to the email account was rapidly blocked it is possible that PHI was not viewed or copied by the attacker. However, out of an abundance of caution, affected individuals have been notified of the breach.

The employee had previously conducted various informational mailings and was required to perform other actions that required a limited amount of patients’ PHI. Consequently, the email account contained some PHI.

In most cases, the PHI in the email account was limited to patients’ names’ addresses, and phone numbers, although some patients’ Social Security numbers, medical record numbers and diagnoses were also potentially compromised.

Individuals whose sensitive information was exposed have been offered credit monitoring and identity theft protection services without charge for 12 months.

UC Davis Health says the phishing email was delivered to the employee’s inbox even though security measures had been introduced to block spam and phishing emails. An intrusion detection solution had been installed, but failed to detect fraudulent use of the email account. Staff at UC Davis Health are also provided with security awareness training to raise awareness of phishing and other threats.

UC Davis Health is now evaluating its security controls and training program and is considering augmenting its security protections to improve resilience against phishing attacks.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 14,900 individuals were impacted by the security breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.