In mid-December, the UC Davis Health System was hit by a phishing scam, in which 1,800 patients may have been affected.
The system is comprised of the UC Davis School of Medicine, Betty Irene Moore School of Nursing, Practice Management Group and UC Davis Medical Center in Sacramento.
Three clinicians’ email accounts were breached, but no patient Social Security numbers, financial information or health records were compromised. The emails mainly included minimal patient admission information, medical record numbers and names.
The breach hit mid-December and was first realized when the clinicians noticed deleted emails from their accounts. Their email addresses were also being used to send messages outside the system.
The scam artists used malicious software to conduct a phishing scam; however, data security experts are unable to pinpoint the exact nature of the breach. The hackers tried to phish for passwords and financial information, but there is no evidence of identity theft.
“Because of the automated nature of this type of phishing scam, it’s unlikely that any individual email messages were viewed or accessed,” said Senior Public Information Officer Charles Casey. “We have had some calls with concerns and questions, but we’re not aware of any actual patient email problems as a result of this breach into three accounts.”
The Health System’s email program is encrypted to prevent such an event from occurring. The three affected clinicians forgot to encrypt their outgoing emails, allowing access to their accounts.
The exact scam artists responsible have not been identified, but UC Davis has taken immediate measures.
“Our IT department deleted the phishing email and blocked access to the phishing website, as well as alerted UC Davis staff to the scam,” Casey said.
In addition, the Health System notified government agencies, such as the California Department of Public Health and California Attorney General’s office. The UC Davis Police Department is also investigating the breach.
According to Casey, this is the first time, to the best of their knowledge, that a UC Davis Medical Center account has been hit by such a scam.
— Nicole Yi
