Cyber Incident Victim: University of California San Diego Health

UC San Diego Health experienced a data breach resulting from a phishing attack that compromised employee email accounts between December 2, 2020, and April 8, 2021. The academic health system, which operates multiple medical facilities under a single license, confirmed unauthorized access persisted for over four months before detection. Attackers potentially obtained personal information belonging to patients, employees, and students during this period. An investigation involving internal security teams and external cybersecurity experts found no evidence that compromised data had been misused following the breach. The exposed information included highly sensitive details such as full names, addresses, Social Security numbers, government IDs, financial account numbers, medical record identifiers, diagnoses, laboratory results, prescription details, treatment information, and login credentials.

The health system confirmed the breach exclusively affected compromised email accounts with no indication of broader network infiltration. UC San Diego Health initiated breach notification procedures with letters scheduled for distribution to affected individuals by September 30, 2021, following completion of the investigation. While awaiting formal notifications, the organization advised community members to monitor financial statements, credit reports, and health insurance explanations of benefits for unauthorized activity. The institution also recommended credential rotation and multifactor authentication enablement for personal accounts as precautionary measures. No evidence emerged suggesting operational disruptions to medical facilities or clinical systems during or after the incident period.