UC Davis Health System Data Breach (2014)

UC Davis Health System announced that it discovered a providers email had been compromised by an unknown source on September 26, breaching 1,326 patients data. According to the release on the UC Davis Health website, the event did not involve access to patient EHRs, Social Security numbers or other personal financial information. But patient data on the email account could have included upcoming appointments, as well as consult or referral information. A member of the UC Davis IT team detected abnormal activity in the email account and determined that the providers email was compromised by the unknown source, which has yet to be identified. This resulted in the unauthorized use and potential impermissible access of the email account. Since we are unable to determine the exact nature of the access by this unauthorized third-party, we are sending a letter to all patients who had information about them included in this email account. UC Davis Health System said that it has notified, or will be notifying, several government agencies regarding the breach. This includes the California Department of Public Health, California Attorney Generals office and Office for Civil Rights (OCR). UC Davis Health Systems email program is encrypted, and there are measures in place to prevent intrusions like this one including email filtering and cyber surveillance from occurring. Immediate actions to protect patient privacy including blocking access by the unauthorized user and changing the account credentials were taken when it was discovered that the email account had been compromised. UC Davis Health System also alerted 1,800 patients of a data breach that was derived from a phishing scam in January, 2014. Read the patient data breach notification letter here.