UC San Diego Health Phishing Attack Exposes Medical Data

UC San Diego Health Phishing Attack Exposes Medical Data

UC San Diego Health, the academic health system of the University of California, recently disclosed suffering from a phishing attack that resulted in a data breach. Bleeping Computer broke this story. 

The phishing attack breached employee’s emails, compromising some email accounts and allowing the hackers potential access to the personally identifying information of patients, employees, and students between December 2, 2020, and April 8, 2021. 

The information potentially at risk includes full name, address, date of birth, email, claims information, medical diagnosis and conditions, Medical Record Number, Social Security number, government identification number, payment card number or financial account number, and security code. It remains unclear how many people may have been affected by the phishing attack, or what the fallout might be. Other researchers have documented that health and medical data sells for higher rates on the Dark Web than credit card numbers. 

UC San Diego Health is ranked as one of the best hospitals in the United States. The organization has closed the unauthorized access and is investigating the incident with the help of third-party researchers. 

The prominence of this target and the depth of potentially stolen information prompted cybersecurity experts to share their thoughts. Here’s what they had to say. 

UC San Diego Health Phishing Attack Exposes Medical Data

Gary Ogasawara

Gary Ogasawara is CTO of Cloudian.

While many organizations rely on perimeter security such as firewalls or educating employees against the dangers of phishing, these defenses can be easily breached by increasingly sophisticated attacks. A recent survey of ransomware victims found that phishing succeeded despite the fact that 54% of all respondents and 65% of those that reported it as the entry point had conducted anti-phishing training for employees. These statistics highlight the fact that perimeter security is not enough to withstand an attack.

Organizations need to move beyond such traditional defenses to protect their data. This includes encrypting data both in flight and at rest to keep cyber-criminals from reading it or making it public in any intelligible form. In addition, organizations should have an immutable (unchangeable) backup copy of their data which prevents such criminals from altering or deleting it and ensures the ability to recover the uninfected backup copy in the event of an attack, without paying ransom.

James Carder

James Carder is CSO of LogRhythm.

“As we have witnessed throughout 2021, threat actors continue to exploit unsuspecting individuals to gain sensitive information. Medical records continue to be the highest value record being stolen due to how financially lucrative the personally identifiable information (PII) and protected health information (PHI) , which cannot be changed or updated like you can with a credit card number, is for attackers. UC San Diego patients whose information was accessed are now vulnerable to a number of attacks due to their sensitive PII and PHI data being breached, including various methods of credit, insurance, and payment fraud. They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made. Additionally, it is conceivable that the medical state, diagnosis, or prescription information for high-profile patients could be of interest to nation-states, terrorist groups, or other threat actors looking to do physical harm.

UC San Diego Health now needs to review their complete threat landscape and model the threat actors that would be interested in or targeting that landscape. They need to fully understand what has been exposed to the internet and what systems or infrastructure allows access, especially to sensitive information, with just a username and password. Moving forward, UC San Diego should also ensure they have multi-factor authentication in place, as it is a must-have in today’s day and age and could prevent future breaches caused by compromised credentials.

To help prevent incidents like this moving forward, security awareness programs are essential — especially programs that focus specifically on phishing awareness. Ensuring employees are comfortable with analyzing subject lines, sender addresses, etc. allows them to be a more active part of the security defense. No matter where an organization stores its data, real-time monitoring and clear visibility are crucial for rapidly detecting and neutralizing security threats. Given the current evolving threat landscape and increased focus on healthcare by cyber-criminals, companies must leverage authentication and access controls, and response capabilities, to ensure private documents will be safeguarded and patients remain protected.”

Purandar Das

Purandar Das, Co-founder and Chief Security Evangelist from Sotero.

“I think it will be important to understand the specific nature of the breach. More importantly, it is too early to claim that the data has not been misused. In fact, it may be hard to quantify what the long-term impact of the stolen data on the individuals are. Also concerning is the beach was not identified based on sources other than organization. That fact alone may suggest that the stolen data may have been spotted in an illegal store front. Obviously, the hospital will be taking a hard look as to how the activity went undiscovered for an extended period of time. The learnings should be used to help other organizations prepare better.”

Casey Ellis

Casey Ellis is CTO and founder of Bugcrowd.

“In an effort to support patients and staff during the pandemic, the healthcare sector has had to quickly become more accessible and connected. This increased accessibility brings increased exposure to attackers, and any time new technologies are quickly implemented there will be exploitable vulnerabilities left behind. This, combined with the intense pressure on the healthcare sector, makes it a prime target for cybercriminals. 

This breach is an example of the personal sensitive information that can be violated by outside attackers within healthcare organizations such as medical diagnosis and conditions, medical record numbers, prescription information, social security numbers, financial account information. With such incredibly sensitive data at stake to cyber attackers, healthcare organizations should fortify their security posture with a crowdsourced cybersecurity approach. This empowers healthcare professionals to assess and mitigate the risks associated with disparate data sources and infrastructure so that patients do not have to worry about the privacy of their data.  

As health needs continue to grow, healthcare providers need to continue to operate without security slowing them down, which is where Bugcrowd has seen great success engaging external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them. This allows healthcare networks to identify security issues before the adversary does, protect their users, and avoid a breach like this one.” 

Thanks to the cybersecurity experts for their time and expertise on the UC San Diego Health phishing attack. For more, check out the SIEM Buyer’s Guide

Ben Canner