COVID-19 updates, including vaccine information, for our patients and visitors Learn More

Menu
Search

FAQ: Substitute Notice of Data Breach

 

GENERAL QUESTIONS ABOUT WHAT HAPPENED AND WHAT WE ARE DOING

1. What happened?

UC San Diego Health recently identified and responded to a security matter involving unauthorized access to some employee email accounts. At no time was continuity of care for our patients affected by the event. There is also no evidence that other UC San Diego Health systems were impacted, nor do we have any evidence at this time that the information has been misused.

When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls. UC San Diego Health reported the event to the FBI and worked with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged. UC San Diego Health worked as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. We are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community.

UC San Diego Health is committed to safeguarding our community’s personal information. Once the forensic review concluded, UC San Diego Health sent individual notices to those patients, students, and employees whose personal information was contained in the accounts, where current contact information was available. UC San Diego Health is also offering one year of free credit monitoring and identity theft protection services through IDX to individuals whose data was impacted.

UC San Diego Health has also established a dedicated call center to answer questions. The call center is available toll free in the U.S. at 1-833-992-4009 from 6:00 a.m. to 6:00 p.m. PT Monday through Sunday. A dedicated IDX representative on behalf of UC San Diego Health is available to assist community members.

2. Whose information was impacted by the event?

The information of a subset of UC San Diego Health patients, students, and employees was impacted.

3. What kind of information was impacted?

There is no evidence at this time that the information has been misused. The personal information accessed varies for each individual, but could include full name, address, date of birth, email, fax number, claims information (date and cost of health care services and claims identifiers), laboratory results, medical diagnosis and conditions, Medical Record Number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and/or username and password.

4. What is a government identification number?

A government identification number could include a state-issued driver’s license or identity card number, passport number, military identification number, or other unique identification number issued on a government document.

5. Where can I go to learn more about this event?

You may visit https://health.ucsd.edu/data-security for more information.

6. When did this happen?

The information may have been accessed or acquired between December 2, 2020 and April 8, 2021.

7. When did UC San Diego Health learn about this?

In March 2021, UC San Diego Health became aware of potential unauthorized access to certain email accounts, and immediately initiated an investigation. On April 8, 2021, UC San Diego Health identified a security matter involving unauthorized access to some employee email accounts.

8. Why did this take so long?

To gain a comprehensive understanding of the extent of the event and in order to provide accurate information to members of the UC San Diego Health community, UC San Diego Health engaged and began working with a leading forensic cybersecurity firm to determine precisely what happened and what data was accessed or acquired without authorization.

As part of that effort, UC San Diego Health initiated a process to carefully inspect every email account that was accessed to determine what information was affected. This process takes time but is necessary in order to be able to give individualized notice to members of the UC San Diego Health community whose personal information was impacted and for whom current contact details are available to UC San Diego Health.

In addition to using sophisticated tools to parse and search the data, UC San Diego Health also conducted a manual review of the affected data. This was a labor-intensive and time-consuming process that involved hundreds of hours of detailed review and analysis. UC San Diego Health used its resources to complete this investigation and analysis as quickly as it could. On September 9, 2021, we sent the appropriate individual notifications to those people whose personal information was impacted, where current contact details were available to UC San Diego Health.

9. What actions are you taking to better secure UC San Diego Health’s networks in response to this event?

At no time was continuity of care for our patients affected by the event. There is also no evidence that other UC San Diego Health systems were impacted, nor do we have any evidence at this time that the information has been misused.

In addition to notifying individuals whose personal information was involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures.

While we have a number of safeguards in place to protect information from unauthorized access, we have asked our community to remain alert to threats and are always working to strengthen them so we can further minimize the risk of this type of threat activity.

10. Has the event been resolved?

Yes. When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls. UC San Diego Health reported the event to the FBI and worked with external cybersecurity experts to investigate the event and determine what happened, what data was impacted, and to whom the data belonged.

11. Is the UC San Diego Health security event related to the University of California Accellion security event?

No. This matter is not related to the security event relating to the Accellion file transfer appliance (FTA) (also known as SAFE).

12. Have you notified the appropriate authorities?

Yes. UC San Diego Health reported the matter to law enforcement.

13. Is UC San Diego Health offering credit monitoring?

Yes. UC San Diego Health offered one year of free credit monitoring and identity theft protection services through IDX to individuals whose data was impacted. UC San Diego Health is committed to safeguarding our community’s personal information. On September 9, 2021, UC San Diego Health sent individual notices to those students, employees, and patients whose personal information was contained in the accounts, where current contact information was available, and those notices included information on how to activate the credit monitoring and IDX CyberScan services.

GENERAL QUESTIONS ABOUT WHAT YOU CAN DO

14. Do I need to do anything?

UC San Diego Health asks that its community members remain alert to threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your financial statements, credit reports, and Explanations of Benefits (EOBs) from your health insurers for any unauthorized activity. If you ever suspect that you are the victim of identity theft or fraud, you should contact the company that maintains the account on your behalf or your local police. You may report suspected phishing or social engineering attempts to abuse@ucsd.edu.

UC San Diego Health also recommends that you rotate passwords, avoid using the same password across different accounts, and use multifactor authentication for your personal online accounts when offered. 

On September 9, 2021, UC San Diego Health sent individual notices to those students, employees, and patients whose personal information was contained in the accounts, where current contact information was available. UC San Diego Health also offered one year of free credit monitoring and identity theft protection services through IDX to individuals whose data was impacted.

15. What should I do while I wait to learn if my data was impacted?

On September 9, 2021, UC San Diego Health sent individual notices to those patients, employees and students whose personal information was contained in the accounts, where current contact information was available. UC San Diego Health asks that its community members remain alert to threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your financial statements, credit reports, and Explanations of Benefits (EOBs) from your health insurers for any unauthorized activity. If you ever suspect that you are the victim of identity theft or fraud, you should contact the company that maintains the account on your behalf or your local police.

You may report suspected phishing or social engineering attempts to abuse@ucsd.edu.

UC San Diego Health also recommends that you rotate passwords, avoid using the same password across different accounts, and use multifactor authentication for your online accounts when offered.


16. What is multi-factor authentication?

Authentication is the process of determining whether someone or something is, in fact, who or what they declare to be. Multifactor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. Multifactor authentication can combine two or more independent credentials that verify that the individual attempting to login is the actual authorized user. An example would be a password entered by the user plus a separate code that is sent to a registered device belonging to the user at the time of login.

17. Should I change my password?

Yes. UC San Diego Health recommends that you rotate passwords, avoid using the same password across different accounts, and use multifactor authentication for your personal online accounts when offered.

18. How can I find out if my information was exposed?

On September 9, 2021, UC San Diego Health sent individual notices to those patients, students, and employees whose personal information was contained in the accounts, where current contact information was available. UC San Diego Health also offered one year of free credit monitoring and identity theft protection services through IDX to individuals whose data was impacted.

QUESTIONS ABOUT THE INDIVIDUAL NOTICES

19. I didn’t receive a letter in September from UC San Diego Health. Does that mean my data wasn’t impacted?

Notices were sent September 9, 2021 to those patients, employees, and students whose personal information was impacted in the event and where current contact information was available.

If you believe your data was impacted but did not receive a notice, please call our dedicated IDX call center. The call center is available toll free in the U.S. at 1-833-992-4009 from 6:00 a.m. to 6:00 p.m. PT, Monday through Sunday. A dedicated IDX representative on behalf of UC San Diego Health will be available to assist community members.

20. When were the individual notifications sent?

The notifications were sent September 9, 2021.

21. Should I expect an email or mail via the USPS?

UC San Diego Health community members were notified via USPS first class mail in cases where we had a current physical address.

22. What data of mine was impacted in the UC San Diego Health event?

The impacted personal information is identified in your notification letter.

23. If I previously signed up for credit monitoring and identity theft protection, do I need to sign up again in response to this event?

That is up to you. You may wish to compare your current services with the features and benefits of the services being offered before deciding how you want to proceed.

24. What happens when the one year of credit monitoring and identity theft protection runs out?

UC San Diego Health is covering the cost for one year of credit monitoring and identity theft protection. If you would like to continue the service beyond that, you can purchase those services following that period.

25. I lost my code that UC San Diego Health sent. How do I get another one?

If you lost your activation code, please contact IDX. We have established a dedicated call center available toll free in the U.S. at 1-833-992-4009 from 6:00 a.m. to 6:00 p.m. PT, Monday through Sunday. A dedicated IDX representative on behalf of UC San Diego Health will be available to assist community members.

26. Should I expect any further communication about this event from UC San Diego Health?

No, you should not expect any further communication about the event.

QUESTIONS ABOUT IDX

27. How do I sign up for IDX?

Those patients, students. and employees whose personal information was contained in the accounts that were impacted are eligible for free credit monitoring and identity theft protection services. These individuals were sent notifications. An activation code to sign up for IDX is contained in the individual notice letter sent September 9, 2021.

28. What is IDX's CyberScan?

This feature continuously monitors thousands of websites and millions of data points, alerting registered subscribers if their personal information is found being bought, sold, or traded online. CyberScan uses a variety of data gathering techniques, such as chat room monitoring, spidering/crawler/scraping capabilities, and forum extraction. If your personal information has been detected during this search, you will receive an email alert.

29. What do I do if I receive confirmation from IDX that my information was found on the Internet?

If you previously registered for IDX and received an alert, that is evidence the monitoring service is working. Contact IDX at 1-833-992-4009 immediately so one of their trained representatives may advise on how to safeguard your information. The call center is available Monday through Sunday 6:00 a.m. to 6:00 p.m. PT.  The IDX member portal also offers information about what you can do to protect yourself. If any fraudulent claims were made using your data, contact IDX to initiate the restoration process.

Depending on what kind of information was exposed, individuals should take different steps:

a) My email address is compromised; what should I do next?

  • Change the password to your email account.
  • Change the passwords to any online accounts that use the compromised email address as a log in.
  • Create strong passwords. The stronger the password is, the less likely it is that someone will be able to crack it. Length is more important than complexity.
  • Create a unique password for every site.

b) My phone number was compromised; what should I do next?

  • If you have been receiving suspicious calls, consider blocking the number that was provided as the source.
  • If you have not been receiving suspicious calls, keep an eye out for any additional identity alerts.

c) My driver's license was compromised; what should I do next?

  • Contact your local Department of Motor Vehicles (DMV).
  • You also have the option to pull a current credit report, as well as place a one-year fraud alert.
  • You can request your free credit report by visiting https://www.annualcreditreport.com or by calling 1-877-322-8228.

d) My medical ID was compromised; what should I do next?

  • Review your medical claims and records.
  • You may also contact your healthcare provider where the account is located and report it as fraud.

e) My debit, credit, or retail card was compromised; what should I do next?

  • Contact the financial institution that issued you the compromised debit, credit, or retail card so they may assist you with cancelling it.
  • Request your card be reissued.
  • The financial institution that issued you the compromised debit, credit, or retail card can initiate an investigation for any fraudulent charges you may have incurred.

f) My passport was compromised; what should I do next?

  • Contact the U.S. Passport office to report your passport lost or stolen immediately (or your representative Embassy or Consulate if your passport is from a different country).
  • Replace your passport. Click here for the required forms to report a lost or stolen passport and request a replacement.

g) My bank account was compromised; what should I do next?

  • IDX recommends you close the affected accounts and change all associated PINs, passwords, and security questions.

h) My Medicare card number was compromised; what should I do next?

  • Go to https://faq.ssa.gov/en-us/Topic/article/KA-01735 to obtain a replacement card.
  • If you prefer, or if you are unable to use the online request to obtain a replacement Medicare card, call Social Security's toll-free number, 1-800-772-1213. You may also visit your local Social Security office.

i) My mailing address was compromised; what should I do next?

  • Contact the USPS (United States Postal Services) to confirm your mail is being routed to your current address.
  • Contact your creditor(s) to confirm your mail is being routed to your current address.

30. My Social Security number was exposed. What should I do?

Call IDX at 1-833-992-4009 and a dedicated representative on behalf of UC San Diego Health will assist you.

UC San Diego Health community members should remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police. You may also contact the credit reporting agencies to place a "fraud alert" or "security freeze" on your credit reports in the case of identity fraud or theft.

31. What should I do if I believe I am the victim of identity theft?

UC San Diego Health community members should remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft, you can contact your local police and visit https://www.identitytheft.gov to report it and get a recovery plan.

You may contact the credit reporting agencies to place a "fraud alert" or "security freeze" on your credit reports.

  • File a police report and ask for a copy for your records.
  • File a complaint with the Federal Trade Commission.
  • File a complaint with your state Attorney General.
  • Keep detailed records.
  • Keep detailed notes of anyone you talk to regarding this incident, what they told you, and the date of the conversation.
  • Keep originals of all correspondence and forms relating to the suspicious or fraudulent activity, identity theft, or fraud.
  • Retain originals of supporting documentation, such as police reports and letters to and from creditors. When requested to produce supporting documentation, send copies.
  • Keep old files, even if you believe the problem is resolved.

You may also contact affiliated financial institutions to protect or close any accounts that have been tampered with or opened fraudulently.

Additionally, it is always a good idea to be alert for "phishing" emails or phone calls by someone who acts like they know you or are a company that you may do business with, and who requests sensitive information, such as passwords, Social Security numbers, or financial account information.

32. I applied for credit monitoring but have not received an alert.

Most lenders report account activity within 30 days, but some can take as long as 90 days. Also, some smaller creditors may only report to one or two of the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion. If your creditor doesn't report to all three, then you will not receive an alert from all three for the same activity.

33. Why did I receive more than one alert for the same loan application?

Here are some common reasons that you will receive multiple alerts for the same loan application:

  • If the loan was approved and the lender opened an account in your name, you will receive an alert for the initial credit report inquiry to process your application. You will also receive an alert for the account being opened.
  • If the lender reported your account to all three of the major credit bureaus – Experian, Equifax, and TransUnion – you may receive an alert from each bureau.

34. IDX requires me to share my SSN for credit monitoring. What kind of security protocols are in place for IDX?

35. I have not received a notice, but I believe I am eligible for credit monitoring.

UC San Diego Health is offering free credit monitoring and identity theft protection services through IDX to those patients, students, and employees whose personal information were impacted, where current contact information was available. These individuals were sent notifications. An activation code to sign up for IDX is contained in the individual notice letter sent September 9, 2021.

If you fall into one of these categories but did not receive an individual code, please call our dedicated call center at 1-833-992-4009 for assistance.

QUESTIONS ABOUT CREDIT MONITORING

36. Am I eligible for free credit monitoring?

UC San Diego Health sent individual notices to those patients, students, and employees whose personal information was contained in the accounts, where current contact information was available. UC San Diego Health is also offering one year of free credit monitoring and identity theft protection services through IDX to individuals whose data was impacted.

37. I have credit monitoring and identity theft protection services with another company. Do I need to sign up with IDX too?

If you already have credit monitoring and identity theft protection services with another company, you may wish to compare those services with the features and benefits of IDX's services before deciding how to proceed.

38. What features and benefits does IDX provide?

When you enroll with IDX, you have access to the following features and benefits.

  • Credit Monitoring: Actively monitors Experian, Equifax, and TransUnion files for indicators of fraud.
  • CyberScan Monitoring: IDX will monitor criminal websites, chat rooms, and bulletin boards for illegal selling or trading of personal information.
  • SSN Trace: Looks for names and addresses affiliated with your Social Security number through automatic monitoring and alerts from Public Records databases.
  • Online Resource Center: Includes access to the IDX team, news, education, and advisory services.
  • $1 Million Reimbursement: In the event of a confirmed identity theft, IDX enrollees are eligible for reimbursement of up to $1,000,000 for out-of-pocket expenses.
  • Identity Theft Recovery: Fully managed services to restore your identity to pre-theft status in the event of identity theft.

39. Will IDX require me to share my Social Security number for credit monitoring? If so, what kind of security protocols are in place?

Yes, your Social Security number is required to activate credit monitoring services. See IDX’s approach to privacy.

40. If I believe my data was impacted, should I place a fraud alert on my credit file?

You have the right to place an initial or extended "fraud alert" on your file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. You may contact any of the three nationwide credit bureaus – Equifax, Experian, and TransUnion – to request a fraud alert. Once you place an alert with one of the bureaus, that bureau will send your request to the other two.

41. If I believe my data was impacted, should I place a freeze on my credit file?

You have the right to place a security freeze on your file at no cost. A security freeze will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.

However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Contact each of the three major credit bureaus directly to place a security freeze on your credit file.

42. If I freeze my credit through one of the credit monitoring agencies, do I need to contact the other two?

Yes. Should you decide to freeze your credit, each of the three nationwide credit bureaus – Equifax, Experian, and TransUnion – must be contacted directly.

43. What does it mean to set up a fraud alert?

Fraud alerts can be placed on your credit reports for free, and there are two different types:

An initial (one-year) fraud alert can be placed if you believe you are, or may become, a victim of fraud or identity theft. The fraud alert lasts for one year. If you want to keep it active on your credit reports, you'll need to renew it after that time. When you or someone else attempts to open an account in your name or attempts to make changes on an existing account, such as increasing the credit limit, the lender or creditor must take reasonable steps to confirm you are who you say you are, such as through contacting you by phone at a number you provide, before completing the request.

Placing an initial fraud alert also allows you to request a free copy of your credit reports every 12 months from the three nationwide credit bureaus, in addition to the one free copy from each credit bureau you're entitled to under the Fair Credit Reporting Act.

An extended fraud alert can be placed if you are a victim of fraud or identity theft. It requires a copy of a valid police or law enforcement agency report or a Federal Trade Commission Identity Theft Report. An extended fraud alert is similar to an initial fraud alert but lasts for seven years. With an extended fraud alert, a lender or creditor is required to verify your identity in person or by phone at a number you provide before opening new accounts or making changes to existing accounts.

44. Can I check my credit reports?

Yes. The credit monitoring agencies recommend that you should check your credit report at least once a year, if not more often, as part of your normal financial management practices. Some individuals prefer checking their credit scores monthly or even weekly. You can check your credit score as frequently as you’d like without impacting your score.

45. Do I have to pay for the credit report?

You can order your credit reports for free from all three credit bureaus once a year. You can do this online at www.annualcreditreport.com or by phone at 1-877-322-8228. Normally, you can get a free copy of your credit report from each bureau once every 12 months at AnnualCreditReport.com. Through April 2022, however, you can request a free copy of your credit report every week.

46. I believe I am eligible for credit monitoring and identity theft protection through IDX but was unable to complete the authentication process for credit monitoring for one of the reasons below. What services are available to me?
  • I do not have a credit file
  • I do not live in the United States
  • I do not have a Social Security number

A credit file (commonly known as credit history), U.S. address, and Social Security number are necessary for credit monitoring. Individuals who do not have a credit history may still enroll with IDX and receive CyberScan services, $1M identity theft insurance, and full-service identity restoration.

If you are eligible, you may register for IDX using the activation code found in your individual notification sent September 9, 2021. UC San Diego Health community members are being notified via USPS mail where physical addresses are available. An IDX representative will be happy to answer any questions you might have and may be reached at 1-833-992-4009.