The FBI is investigating a data breach that occurred when hackers infiltrated a medical database shared by the University of California, Berkeley, and Mills College that contained health-care information and Social Security numbers for more than 160,000 students, alumni and their families.
Security experts say the hack could have been prevented by protecting the sensitive medical information stored on easily accessible spreadsheets.
News of the data breach came to light Friday after it was discovered that hackers had broken into a medical database UC Berkeley shared with Mills College that contained health-related information for students, alumni and their families.
The stolen data included more than 97,000 Social Security numbers, as well as health insurance information and nontreatment medical information, such as immunization records and the names of some of the physicians the victims have seen for diagnoses or treatment. UC Berkeley officials said, however, that personal records, such as patients' treatments and therapies, were stored on a separate system not affected by the data breach.
University administrators issued e-mails Friday to some victims, while others are expected to receive notification letters this week.
School officials said evidence indicated that the breach occurred Oct. 8, 2008, and continued through April 9, 2009. The data breach came to light April 21 after a campus IT administrator discovered messages left by hackers while conducting routine maintenance.
University administrators have since removed the exposed databases. In addition to the pending FBI investigation, the university has commissioned the services of an independent IT security firm to determine the details related to the breach and offer solutions to prevent a hack from happening again.
During the attack, the hackers infiltrated the public Web site containing UC Berkeley and Mills College health-related information, but bypassed the secured University Health Services databases containing more personal medical and treatment information. So far, evidence indicates that the attack was perpetrated by hackers based overseas, university officials said in a statement.
Security experts say that one of the biggest mistakes possibly leading to the data breach was leaving student Social Security numbers unencrypted on spreadsheets where they could easily be accessed.
"If you have data like Social Security numbers, you shouldn't have spreadsheets for those Social Security numbers lying around," said Wasim Ahmad, vice president of marketing for Voltage Security. "Often people assume that if [sensitive information] is lying around and it's inside, it's safe."
To combat growing security problems, Ahmad said that many universities were investing in laptop encryption and other kinds of encryption and data leak technologies to protect data at rest, as well as in transmission. Ahmad also said that in light of the six-month data breach, universities should conduct regular security audits to detect security holes and determine who has unauthorized access to sensitive information.
The victims include current and former Berkeley students dating back to 1999, as well as their parents and spouses who were under the university's health coverage or received services. The pool of affected individuals also includes about 3,400 Mills College students dating back to 2001 who received or were eligible to receive Berkeley health care services.
Security experts say that Berkeley and other universities will have to re-evaluate the balance between securing sensitive data and maintaining university policies that simultaneously allow information to be open and freely accessible.
"Universities don't set rules the same way a bank sets rules. That's kind of the heart of it," Ahmad said. "They probably have a different stance than a bank, where everything is locked down."
This is not the first time hackers have targeted public institutions for medical records. The Berkeley data breach follows just days after hackers demanded a $10 million ransom for stolen patient records after they infiltrated a Virginia state database and deleted patients' pharmaceutical and prescription information.
Meanwhile, Ahmad said that more data breaches such as UC Berkeley's will likely be forthcoming as hackers continue to find weak links in public institutions and other targets with faulty or disparate security standards.
"If you go back and look at breaches in the last five years, they're happening on a very regular basis," Ahmad said. "We're seeing multi-tens of thousands of records breached, and we're trying to see if we can make a prediction. The number of breaches is going to be at that point where people are going to say enough is enough."
Click here to read more articles by Stefanie Hoffman.