The University of California Davis Medical Center (UC Davis Health System) is notifying patients of a breach that occurred on September 25.
According to a letter signed by Shara Merritt Reed, Privacy Program Director for UC Davis Health System, on September 26, an IT employee detected abnormal activity in the email account of one of their providers.
“Upon further investigation, it was determined that the provider’s email was compromised by an unknown source. This resulted in the unauthorized use and potential impermissible access of the email account,” Reed wrote.
“Since we are unable to determine the exact nature of the access by this unauthorized third-party, we are sending a letter to all patients who had information about them included in this email account.”
The provider whose account was compromised was not named.
No Social Security number, financial, or billing information would have been included in the emails. “Neither your personal email account nor your MyChart account, if you have one,” was affected, Reed wrote.
A copy of the patient notification template was submitted to California Attorney General’s web site.
In researching this notification, PHIprivacy.net found a notice on UC Davis Health System’s site posted on October 7 that indicated that it was a physician’s account that was compromised:
One physician’s email account compromised by unknown source
Late last week, it was determined that a UC Davis physician’s work email account was accessed by an unknown source. UC Davis Health System has notified 1,326 patients who had their personal or medical information included in an email within the compromised account. This event did not involve access to the electronic health records of patients, patients’ Social Security numbers or patients’ personal financial information.
A member of the UC Davis Information Technology team first noticed the problem when abnormal activity was detected in the physician’s email account.
Data security experts are unable to determine the exact nature of the breach or whether any messages were specifically read, but it was determined that the physician’s email was compromised by an unknown source, resulting in the potential impermissible access to this email account.
UC Davis Health System’s email program is encrypted, and there are measures in place to prevent intrusions like this one including email filtering and cyber surveillance from occurring. Immediate actions to protect patient privacy — including blocking access by the unauthorized user and changing the account credentials — were taken when it was discovered that the email account had been compromised.
UC Davis Health System has notified, or will be notifying, several government agencies – such as the California Department of Public Health, California Attorney General’s office and the federal Office for Civil Rights – about this incident.
Patients with questions about the incident may call the health system’s Compliance Department at (916) 734-8808 for additional information or advice.
UC Davis Health System is improving lives and transforming health care by providing excellent patient care, conducting groundbreaking research, fostering innovative, interprofessional education, and creating dynamic, productive partnerships with the community. The academic health system includes one of the country’s best medical schools, a 619-bed acute-care teaching hospital, a 1000-member physician’s practice group and the new Betty Irene Moore School of Nursing. It is home to a National Cancer Institute-designated comprehensive cancer center, an international neurodevelopmental institute, a stem cell institute and a comprehensive children’s hospital. Other nationally prominent centers focus on advancing telemedicine, improving vascular care, eliminating health disparities and translating research findings into new treatments for patients. Together, they make UC Davis a hub of innovation that is transforming health for all. For more information, visit healthsystem.ucdavis.edu.
This is not the first time this year that UC Davis Medical has reported compromised physician email accounts. In January, they notified 1,800 patients after three physicians reportedly fell for a phishing scheme. It is not clear whether phishing may have been responsible for the current breach.
Correction: Although the incident earlier this year was reported on UC Davis’s website as affecting approximately 1,800 patients, the incident was reported to HHS as affecting 2,269. It is not known which is the more recent or accurate figure, but given the specificity of 2,269 vs. an approximation, the higher figure is likely the correct one.