UCSF Doctor Falls For Phishing Scam and Causes Data Breach

Written by Sue Walsh on January 4, 2010

A doctor at the UC San Francisco School of Medicine fell for a phishing scam and turned over his log in credentials to phishing-2hackers, exposing the personal information of over 600 patients. Demographic and clinical information on the patients, and in some cases, social security numbers, was compromised. The doctor got an email that was made to look like it had come from the UCSF I.T. department and believed it.

The breach occurred in September but was not announced until after the investigation had been completed. It’s not the first time UCSF has been involved in a situation concerning compromised data. In 2007 the personal information of over 6,000 patients was made available on the net for months before it was discovered. The affected patients were infuriated when they realized UCSF waited 6 months to tell them because it wanted to complete its investigation first. UCSF responded by saying they were working to improve their security practices but apparently haven’t done so.

The doctor’s name isn’t being revealed and the patients affected have been notified. UCSF said it has “re-educated” staff members on the importance of security and protecting their user names and passwords.

Comments

Janice Gaines January 5, 2010

Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has a great chapter on security. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

  • (required)
  • (required)