A phishing attack on the University of California Davis Health may have compromised the personal health information of 15,000 patients.

Officials discovered the breach on May 15, when an employee responded to a phishing email with his or her email account login credentials. The hacker proceeded to access that account.

Once inside, the hacker was able to access the employee’s email messages and both view and or obtain patient PHI. However, officials said the investigation did not find evidence the hacker viewed the information, but it could not rule out the possibility.

Further, the cybercriminal used the email account to send emails to other staff members and requested bank transfers for large financial sums. Fortunately, the staff recognized these emails as fraudulent and reported the information to the health center’s security team.

Officials said that as access to the email account was quickly shut down, it’s possible the hacker wasn’t able to access sensitive information.

The potentially breached data included names, addresses and phone numbers, while in some cases the files included Social Security numbers, medical record numbers and diagnoses.

The health system leverages email security measures meant to detect spam emails, phishing attempts and other intrusions. Further, officials said it employs mandatory annual security training and frequent reminders to help staff maintain cyber awareness.

As a result of the attack, the health system is evaluating these processes and the need for further preventive measures.

All patients affected by the breach are being offered a year of free credit monitoring. Officials said they are also notifying several government agencies about the breach, including the U.S. Department of Health and Human Services, the California Department of Public Health and the state Attorney General.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn