Hackers Hit UC Berkeley Health Services Center Database

• By Dian Schaffhauser
• 05/22/09

The University of California, Berkeley recently notified students, alumni, and others that their personal information may have been stolen after hackers attacked restricted computer databases in the campus' health services center.

The databases contained Social Security numbers, health insurance information, and non-treatment medical information, such as immunization records and names of some of the physicians students may have seen for diagnoses or treatment.

According to UC Berkeley computer administrators, the hackers didn't access the University Health Services' (UHS) medical records, which include patients' diagnoses, treatments, and therapies. Those records are stored in a separate system and weren't affected in this incident.

The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.

Administrators immediately activated an emergency security incident team to investigate the scope and impact of the breach, alerting campus police and the FBI. Evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.

In all, more than 160,000 individuals could be affected, including those who had their Social Security numbers accessed and others who may be at risk for identity theft. E-mails were sent starting in early May, with letters following. These communications include guidance on steps these individuals should take to guard against potential identity theft. A hotline has been established to answer questions from affected individuals.

The victims are current and former UC Berkeley students (as well as their parents and spouses) who had UHS health care coverage or received services. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, health care at UC Berkeley.

The data for UC Berkeley students and alumni and their parents date back to 1999. The information involving Mills College former and current students dates back to 2001.

"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's CIO and associate vice chancellor for IT. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."

Individuals whose names and personal data were stolen have been advised by the university to place a fraud alert on their credit reporting accounts. The campus has set up a Web site, datatheft.berkeley.edu, to assist these individuals with contact information for key resources, and it has established a 24-hour data theft Hotline to answer their questions.

"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."