UCSF has alerted approximately 600 patients/individuals that an external hacker may have obtained temporary access to emails containing their personal information as a result of a phishing scam.
In late September 2009, a faculty physician in the School of Medicine was victimized by this scam. The physician provided the user name and password for his/her e-mail account in response to an e-mail message that was fabricated by a hacker and appeared as if it came from individuals responsible for upgrading security on UCSF internal computer servers.
UCSF Enterprise Information Security identified the security breach and disabled the compromised password. UCSF conducted a complete audit of the incident and on October 16, 2009, determined that e-mails in the physician’s account ─ including those containing demographic and clinical information (and, in the case of four individuals, Social Security numbers) ─ may potentially have been exposed.
Although there is no indication that unauthorized access to the emails actually took place, UCSF advised these patients/individuals to: (1) review the “explanation of benefits” sent by their health insurer, (2) look for payments they do not recognize, and (3) report any unusual payments found to their insurer or provider.
Nationally, there has been a recent string of such phishing scams directed to financial institutions, large companies, and universities, according to the Anti-Phishing Working Group, an industry association.
UCSF is committed to maintaining the privacy of personal information and takes precautions to maintain the integrity and security of that information. In response to incidents such as this, UCSF is continually modifying its systems and practices to enhance the security of sensitive information. In this case, UCSF has provided re-education to workforce members to ensure that they protect their user IDs and passwords.
UCSF has established a toll-free number (1-888-689-8273 or 1-888-689-UCSF) for those with additional questions.