DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of California Davis Medical Center notifies 1,326 patients after doctor's email account compromised

Posted on October 13, 2014 by Dissent

The University of California Davis Medical Center (UC Davis Health System) is notifying patients of a breach that occurred on September 25.

According to a letter signed by Shara Merritt Reed, Privacy Program Director for UC Davis Health System, on September 26, an IT employee detected abnormal activity in the email account of one of their providers.

“Upon further investigation, it was determined that the provider’s email was compromised by an unknown source. This resulted in the unauthorized use and potential impermissible access of the email account,” Reed wrote.

“Since we are unable to determine the exact nature of the access by this unauthorized third-party, we are sending a letter to all patients who had information about them included in this email account.”

The provider whose account was compromised was not named.

No Social Security number, financial, or billing information would have been included in the emails. “Neither your personal email account nor your MyChart account, if you have one,” was affected, Reed wrote.

A copy of the patient notification template was submitted to California Attorney General’s web site.

In researching this notification, PHIprivacy.net found a notice on UC Davis Health System’s site posted on October 7 that indicated that it was a physician’s account that was compromised:

One physician’s email account compromised by unknown source

Late last week, it was determined that a UC Davis physician’s work email account was accessed by an unknown source. UC Davis Health System has notified 1,326 patients who had their personal or medical information included in an email within the compromised account. This event did not involve access to the electronic health records of patients, patients’ Social Security numbers or patients’ personal financial information.

A member of the UC Davis Information Technology team first noticed the problem when abnormal activity was detected in the physician’s email account.

Data security experts are unable to determine the exact nature of the breach or whether any messages were specifically read, but it was determined that the physician’s email was compromised by an unknown source, resulting in the potential impermissible access to this email account.

UC Davis Health System’s email program is encrypted, and there are measures in place to prevent intrusions like this one including email filtering and cyber surveillance from occurring. Immediate actions to protect patient privacy — including blocking access by the unauthorized user and changing the account credentials — were taken when it was discovered that the email account had been compromised.

UC Davis Health System has notified, or will be notifying, several government agencies – such as the California Department of Public Health, California Attorney General’s office and the federal Office for Civil Rights – about this incident.

Patients with questions about the incident may call the health system’s Compliance Department at (916) 734-8808 for additional information or advice.

UC Davis Health System is improving lives and transforming health care by providing excellent patient care, conducting groundbreaking research, fostering innovative, interprofessional education, and creating dynamic, productive partnerships with the community. The academic health system includes one of the country’s best medical schools, a 619-bed acute-care teaching hospital, a 1000-member physician’s practice group and the new Betty Irene Moore School of Nursing. It is home to a National Cancer Institute-designated comprehensive cancer center, an international neurodevelopmental institute, a stem cell institute and a comprehensive children’s hospital. Other nationally prominent centers focus on advancing telemedicine, improving vascular care, eliminating health disparities and translating research findings into new treatments for patients. Together, they make UC Davis a hub of innovation that is transforming health for all. For more information, visit healthsystem.ucdavis.edu.

This is not the first time this year that UC Davis Medical has reported compromised physician email accounts. In January, they notified 1,800 patients after three physicians reportedly fell for a phishing scheme. It is not clear whether phishing may have been responsible for the current breach.

Correction: Although the incident earlier this year was reported on UC Davis’s website as affecting approximately 1,800 patients, the incident was reported to HHS as affecting 2,269. It is not known which is the more recent or accurate figure, but given the specificity of 2,269 vs. an approximation, the higher figure is likely the correct one.

Category: Uncategorized

Post navigation

← Alleged Broadway Grill hacker now charged with stealing and selling 2 million credit card numbers
Home Depot now facing 21 class-action lawsuits over data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data
  • DOJ Seeks More Time on Tower Dumps

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.