Berkeley health records safe after six-month data breach
The University of California (UC) Berkeley began notifying students, alumni and others on May 8 that their personal information may have been stolen after learning in April that hackers had accessed restricted computer databases in its health services center.
The server breach began on Oct. 9, 2008, and continued until April 9, when campus computer administrators performing routine maintenance identified messages left by the hackers. Evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server, the university noted.
When the campus realized the breach had occurred, administrators removed the exposed databases from service to prevent any further attack and notified campus police and the FBI.
The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment. The hackers did not access the University Health Services' (UHS) EMRs, according to UC Berkeley administrators.
More than 160,000 individuals will be alerted via email and letters, including those who had their Social Security numbers accessed and others who may be at risk for identity theft. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, healthcare coverage or services at UC Berkeley.
The communications will also include guidance on steps these individuals should take to guard against potential identity theft. The university said it has established a hotline to answer any questions from individuals who received notices.
The campus has set up a Web site, datatheft.berkeley.edu, to assist the individuals with contact information for resources.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's associate vice chancellor for IT and its chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."
The server breach began on Oct. 9, 2008, and continued until April 9, when campus computer administrators performing routine maintenance identified messages left by the hackers. Evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server, the university noted.
When the campus realized the breach had occurred, administrators removed the exposed databases from service to prevent any further attack and notified campus police and the FBI.
The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment. The hackers did not access the University Health Services' (UHS) EMRs, according to UC Berkeley administrators.
More than 160,000 individuals will be alerted via email and letters, including those who had their Social Security numbers accessed and others who may be at risk for identity theft. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, healthcare coverage or services at UC Berkeley.
The communications will also include guidance on steps these individuals should take to guard against potential identity theft. The university said it has established a hotline to answer any questions from individuals who received notices.
The campus has set up a Web site, datatheft.berkeley.edu, to assist the individuals with contact information for resources.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's associate vice chancellor for IT and its chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."