Hackers Hit UC Berkeley Health Services Center Database

The University of California, Berkeley recently notified students, alumni, and others that their personal information may have been stolen after hackers attacked restricted computer databases in the campus' health services center.

The databases contained Social Security numbers, health insurance information, and non-treatment medical information, such as immunization records and names of some of the physicians students may have seen for diagnoses or treatment.

According to UC Berkeley computer administrators, the hackers didn't access the University Health Services' (UHS) medical records, which include patients' diagnoses, treatments, and therapies. Those records are stored in a separate system and weren't affected in this incident.

The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.

Administrators immediately activated an emergency security incident team to investigate the scope and impact of the breach, alerting campus police and the FBI. Evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.

In all, more than 160,000 individuals could be affected, including those who had their Social Security numbers accessed and others who may be at risk for identity theft. E-mails were sent starting in early May, with letters following. These communications include guidance on steps these individuals should take to guard against potential identity theft. A hotline has been established to answer questions from affected individuals.

The victims are current and former UC Berkeley students (as well as their parents and spouses) who had UHS health care coverage or received services. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, health care at UC Berkeley.

The data for UC Berkeley students and alumni and their parents date back to 1999. The information involving Mills College former and current students dates back to 2001.

"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's CIO and associate vice chancellor for IT. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."

Individuals whose names and personal data were stolen have been advised by the university to place a fraud alert on their credit reporting accounts. The campus has set up a Web site, datatheft.berkeley.edu, to assist these individuals with contact information for key resources, and it has established a 24-hour data theft Hotline to answer their questions.

"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • futuristic crystal ball with holographic data projections

    Call for Opinions: 2025 Predictions for Higher Ed IT

    How will the technology landscape in higher education change in the coming year? We're inviting our readership to weigh in with their predictions, wishes, or worries for 2025.

  • cloud icon connected to a data network with an alert symbol (a triangle with an exclamation mark) overlaying the cloud

    U.S. Department of Commerce Proposes Mandatory Reporting Requirement for AI, Cloud Providers

    This proposed rule from the department's Bureau of Industry and Security aims to enhance national security by establishing reporting requirements for the development of advanced AI models and computing clusters.

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • glowing AI symbol integrated into a stylized cloud icon, surrounded by interconnected digital nodes and translucent security shields, set against a gradient white-to-blue background with grid lines and abstract risk charts

    Cloud Security Alliance Report Plots Path to Trustworthy AI

    A new report from the Cloud Security Alliance highlights the need for AI audits that extend beyond regulatory compliance, and advocates for a risk-based, comprehensive methodology designed to foster trust in rapidly evolving intelligent systems.