Hackers Steal 160,000 Health Records From UC Berkeley Database
Altogether, the stolen data included Social Security numbers, health insurance information and nontreatment medical information, such as immunization records and the names of some of the physicians the victims have seen for diagnoses or treatment. However, personal records, such as patients' treatments and therapies, were stored in a separate system overseen by University Health Services (UHS) and not affected by the data breach, university officials said in a statement.
Officials have since removed from service the exposed databases, and alerted the FBI and campus police. They also have commissioned the services of an independent IT security firm to investigate the incident. Officials said that evidence indicates the attack was launched by hackers based overseas. During the attack, the hackers infiltrated a public Web site while bypassing additional secured databases stored on the same server.
Victims include current and former Berkeley students dating back to 1999, in addition to their parents and spouses who were under UHS health care coverage or received services. Data breach victims also include about 3,400 Mills College students, dating back to 2001, who received or were eligible to receive Berkeley's health care services.
The breach occurred on Oct. 9, 2008, and continued until April 9, 2009, before a campus IT administrator discovered messages left by the hackers while conducting routine maintenance.
The university notified all affected data breach victims after learning of the hack. The university issued e-mails Friday to some victims, while others are expected to receive notification letters next week. The communication included tips on steps victims should take to protect themselves against identity theft. Administrators advised affected individuals to place a fraud alert on their credit reporting accounts. The university has established a Web site containing contact information for key resources and has set up a 24-hour hotline to field questions for data breach victims.
Once the breach was discovered, university officials activated an emergency security incident team to investigate the scope and impact of the breach.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, Berkeley associate vice chancellor for information technology and chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identity the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."