UC Davis Health

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

UC Davis Health Data Breaches Overview

UC Davis Health has experienced multiple data breaches over recent years, affecting patient and employee information through various incidents, including unauthorized access to employee email accounts and electronic medical records (EMRs).

Unauthorized Access to EMRs (2017-2022)

In an incident identified on August 5, 2022, UC Davis Health discovered that a staff member had accessed EMRs without a work-related purpose from November 2, 2017, to July 18, 2022. The unauthorized access involved demographic and clinical information, including names, dates of birth, medical record numbers, addresses, phone numbers, and clinical details within medical records. However, financial, billing information, and Social Security numbers were not accessed. UC Davis Health took corrective actions, including internal and external breach reporting, to mitigate risks to affected patients and prevent future occurrences. Notifications were sent to the affected patients between August 23 and August 25, 2022[1].

Email Account Breaches (2023)

On July 25, 2023, UC Davis Health confirmed another data breach stemming from unauthorized access to an employee’s email account. This breach was identified as part of the health system’s IT security monitoring. The compromised email account contained personally identifiable information used for coordinating patient care. Despite detecting the breach promptly and freezing the employee’s credentials, the delay in public disclosure was not explained. UC Davis Health offered affected individuals complimentary 12-month credit monitoring services through Experian and advised on steps to protect personal information[2].

Phishing Attacks and Email Hacking

UC Davis Health has also been targeted by phishing attacks and email hacking, leading to potential exposure of patient information. In one instance, a phishing scam in May 2017 resulted in the breach of data for approximately 15,000 patients[16][18]. Another incident, reported on July 28, 2023, involved the hacking of an employee’s email account, potentially exposing patient names and other information used to coordinate follow-up care appointments[8].

Delta Dental/MOVEit Data Breach Impacting UC Employees

Separately, UC Davis Health notified the community about a data breach at Delta Dental of California, affecting approximately 190,000 UC employees, retirees, and dependents. This breach, occurring between May 27 and May 30, 2023, was part of a global security incident involving the MOVEit file-transfer software. Compromised information included names, addresses, Social Security numbers, dates of birth, and health care information. Delta Dental has been working with law enforcement and third-party vendors to investigate the incident and limit the release of stolen information, offering 24 months of free credit monitoring and identity theft protection to affected individuals[5].

Conclusion

These incidents underscore the ongoing challenges and importance of cybersecurity within healthcare institutions. UC Davis Health has taken steps to address these breaches, including notifying affected individuals, offering credit monitoring services, and enhancing security measures to prevent future incidents.

Citations:

  1. https://health.ucdavis.edu/legal/privacy-breach-substitute-notice
  2. https://www.legalscoops.com/uc-davis-health-suffers-data-breach/
  3. https://healthexec.com/topics/health-it/cybersecurity/email-hacking-source-uc-davis-breach
  4. https://servicehub.ucdavis.edu/servicehub?id=ucd_kb_article&sys_id=ef18eb8e4f9062008b2f2e35f110c717
  5. https://health.ucdavis.edu/healthcare-professionals/news/headlines/letter-to-the-uc-community-regarding-the-delta-dentalmoveit-data-breach/2023/12
  6. https://health.ucdavis.edu/legal/privacy/
  7. https://oag.ca.gov/ecrime/databreach/reports/sb24-570834
  8. https://www.beckershospitalreview.com/cybersecurity/uc-davis-health-employees-email-account-hacked.html
  9. https://oag.ca.gov/privacy/databreach/list
  10. https://oag.ca.gov/system/files/Patient%20notice_emailcompromise%20ADULT_FINAL.pdf
  11. https://health.ucdavis.edu/media-resources/supply-chain/documents/pdfs/fy23/rfq-022123-rm-attachment%203.pdf
  12. https://health.ucdavis.edu/compliance/privacy/report_incident/
  13. https://healthitsecurity.com/topic/latest-health-data-breaches/P620
  14. https://health.ucdavis.edu/compliance/privacy/
  15. https://www.fiercehealthcare.com/it/uc-davis-email-breach-impacts-1-326-patients-mit-mass-general-team-up-to-address-challenges
  16. https://www.janmulligan.com/practice-areas/uc-davis-privacy-breach/
  17. https://iet.ucdavis.edu/security/uc-davis-data-classification-guide
  18. https://www.healthcarefinancenews.com/news/phishing-attack-uc-davis-health-breaches-data-15000-patients
  19. https://privacy.ucdavis.edu/news/privacy-tips-and-updates
Breach Submission Date Jul 28, 2023
Converted Entity Name UC Davis Health
Converted Entity Type Healthcare Provider
State CA
Individuals Affected 3,201
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes