July 27, 2021 (updated September 9, 2021)
To the UC San Diego Health community:
As we previously disclosed July 27, 2021 in communications to patients, students, employees, and the community, UC San Diego Health was subject to a security event involving unauthorized access to some employee email accounts. This post provides up-to-date information on what happened and what we are doing.
On September 9, 2021, we sent individual notices to community members whose personal information was impacted by the security event where contact information was available. Notifications were sent via USPS mail where addresses were available. UC San Diego Health worked deliberately, while taking care to provide accurate information, as quickly as it could.
Substitute Notice of Data Breach
To the UC San Diego Health community:
UC San Diego Health recently experienced a security event involving unauthorized access to some employee email accounts. This notice provides up-to-date information on what happened and what we are doing.
UC San Diego Health recently identified and responded to a security matter involving unauthorized access to some employee email accounts. At no time was continuity of care for our patients affected by the event.
When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls. UC San Diego Health reported the event to the FBI and worked with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged, moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted.
Please be assured that there is no evidence at this time that the information has been misused or that other UC San Diego Health systems were impacted.
What Information Was Involved?
UC San Diego Health notified the community of what personal information may have been involved July 27, 2021 and sent individual notices to community members whose data was impacted on September 9, 2021. Between December 2, 2020 and April 8, 2021, the following information was accessed or acquired: full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password. The data accessed and/or acquired varies by individual. It does not appear that any personal information was the target of this incident and there is no evidence at this time that personal information was misused.
What We Are Doing
UC San Diego Health has enhanced their security controls and is committed to safeguarding personal information. UC San Diego Health has arranged for individuals whose data was impacted to receive one year of free credit monitoring and identity theft protection services through IDX, the data breach and recovery services expert. IDX identity protection services include: credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services. With this protection, IDX will help resolve issues if an individual's identity is compromised.
In addition to these actions, UC San Diego Health began taking remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing security processes and procedures. While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity.
What You Can Do
It is always a good idea to remain alert to threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your financial statements, credit reports, and Explanations of Benefits (EOBs) from your health insurers for any unauthorized activity. If you ever suspect that you are the victim of identity theft or fraud, you should contact the company that maintains the account on your behalf or your local police.
For more information:
UC San Diego Health sent notices on September 9, 2021 to all individuals whose data was impacted. UC San Diego Health has established a dedicated call center to answer questions. If you believe your personal information may have been impacted and you do not receive a letter by October 20, 2021, please call the call center 1-833-992-4009 (toll free in the U.S.) from 6:00 a.m. to 6:00 p.m. PT Monday through Sunday. A dedicated IDX representative on behalf of UC San Diego Health will be available to assist community members.
To protect against possible fraud, identity theft or other financial loss, you should always remain vigilant, review your account statements and monitor your credit reports. Provided below are the names and contact information for the three major U.S. credit bureaus and additional information about steps you can take to obtain a free credit report and place a fraud alert or security freeze on your credit report. If you believe you are a victim of fraud or identity theft, you can contact your local law enforcement agency, your state’s Attorney General or the Federal Trade Commission. Please know that contacting UC San Diego Health will not expedite any remediation of suspicious activity.
INFORMATION ON OBTAINING A FREE CREDIT REPORT
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit
www.annualcreditreport.com or call toll-free at +1 (877) 322-8228.
INFORMATION ON IMPLEMENTING A FRAUD ALERT OR SECURITY FREEZE
You may contact the three major credit bureaus at the addresses below to place a fraud alert on your credit report. A fraud alert indicates to anyone requesting your credit file that you suspect you are a possible victim of fraud. A fraud alert does not affect your ability to get a loan or credit. Instead, it alerts a business that your personal information might have been compromised and requires that business to verify your identity before issuing you credit. Although this may cause some short delay if you are the one applying for the credit, it might protect against someone else obtaining credit in your name.
In addition to a fraud alert, you may also consider placing a security freeze on your credit report. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing or other services.
A credit reporting agency may not charge you to place, temporarily lift, or permanently remove a security freeze.
To place a fraud alert on your credit report, you must contact the one of the credit bureaus below and the other two credit bureaus will automatically add the fraud alert. To place a security freeze on your credit report, you must contact all three credit bureaus below:
Equifax: Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
+1 (800) 525-6285
Experian: Credit Fraud Center
P.O. Box 9554
Allen, TX 75013
+1 (888) 397-3742
TransUnion: TransUnion LLC
P.O. Box 2000 Chester, PA
+1 (800) 680-7289
To request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security number
- Date of birth
- If you have moved in the past five (5) years, the addresses where you have lived over those prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.).
You may also contact the U.S. Federal Trade Commission ("FTC") for further information on fraud alerts, security freezes, and how to protect yourself from identity theft. The FTC can be contacted at 400 7th St. SW, Washington, DC 20024; telephone +1 (877) 382-4357; or
Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your state Attorney General, or the FTC.
California Residents: Visit the California Office of Privacy Protection (https://oag.ca.gov/privacy) for additional information on protection against identity theft.
Iowa Residents: The Attorney General can be contacted at Office of Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, Iowa 50319, +1 (515) 281-5164,
Kentucky Residents: The Attorney General can be contacted at Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601,
www.ag.ky.gov, Telephone: +1 (502) 696-5300.
Maryland Residents: The Attorney General can be contacted at Office of Attorney General, 200 St. Paul Place, Baltimore, Maryland 21202; +1 (888) 743-0023; or
Massachusetts Residents: Under Massachusetts law, you have the right to obtain any police report filed in connection to the incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
North Carolina Residents: The Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; +1 (919) 716-6400; or
New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA), which governs the collection and use of information pertaining to you by consumer reporting agencies. For more information about your rights under the FCRA, please visit
New York Residents: The Attorney General can be contacted at the Office of the Attorney General, The Capitol, Albany, NY 12224-0341, +1 (800)-771-7755; or
Oregon Residents: The Attorney General can be contacted at Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, +1 (877) 877-9392 (toll-free in Oregon), +1 (503) 378-4400, or
Rhode Island Residents: The Attorney General can be contacted at 150 South Main Street, Providence, Rhode Island 02903; +1 (401) 274-4400 or
www.riag.ri.gov. You may also file a police report by contacting local or state law enforcement agencies.
FAQs about this notice.