Data Breach: UC San Diego Health Hit with Class Action Over Alleged Four-Month Phishing Attack

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action has been filed over an alleged UC San Diego Health data breach in which hackers reportedly gained unauthorized access to employees’ email accounts over a span of four months. 

According to the 48-page lawsuit, the cyberattack against the University of California, San Diego academic health system, comprised of a number of health institutions in the San Diego region, took place between December 2, 2020 and April 8, 2021. The suit alleges the perpetrators were able to exfiltrate myriad highly sensitive data stored on UC San Diego Health’s servers, including patients’ full names; addresses; dates of birth; email addresses; fax numbers; claims information, including dates and cost of certain services and claims identifiers; lab results; diagnoses and conditions; medical record numbers; prescription and treatment data; Social Security numbers; government IDs; payment card specifics; security codes; student ID numbers; and usernames and passwords. 

The data breach occurred as a result of UC San Diego Health’s failure to implement reasonable cybersecurity procedures and practices and provide employees with basic cybersecurity training designed to prevent phishing attacks such as the incident at issue, the lawsuit alleges. The case moreover chides UC San Diego Health over its alleged failure to adequately monitor for and detect unusual server activity, disclose material facts about its “deficient data security protocols” and timely notify those affected by the hack. 

The suit contends that the threat of a data breach was “known and obvious” to UC San Diego Health, least of all because healthcare providers have of late been prime targets for data thieves. In fact, the case says, UC San Diego Health itself has previously been the subject of data security incidents that “should have put it on high alert that it was a prime target for cyberattacks.” 

According to the complaint, the health system published notice of the data breach on its website on July 27, 2021, more than three months after the issue was discovered. As a result, those affected by the data breach face a heightened risk of medical-related identity theft and fraud, financial fraud and other consequences “now and into the indefinite future,” the case says. 

The suit contends that although UC San Diego Health has stated in its privacy disclosures its commitment to protecting the confidential patient data in its care, not to mention provide prompt notice in the event a breach occurs, hackers were nevertheless able to access employee email accounts in December 2020 by way of a phishing attempt. Per the case, phishing is the practice of sending fraudulent emails that purport to be from a reputable source in order to induce an employee into revealing sensitive information or deploy malicious software on a network. 

According to the complaint, the hackers who accessed UC San Diego Health’s network were able to go through the defendant’s servers “unimpeded” for months. Even when the defendant first discovered “unusual activity” on its servers on March 12, 2021, it took UC San Diego Health several more weeks to actually terminate the unauthorized access, the lawsuit claims. 

When UC San Diego Health eventually disclosed the incident on July 27, its notice did not identify which specific patients were affected, and failed to affirmatively alert those involved in the breach to take measures to protect themselves, the suit says. Per the complaint, UC San Diego Health waited until September 9 to begin individually notifying affected patients that their information had been exposed in the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.