Cyber Incident Victim: UC Health

On July 6, 2019, UC Health detected a phishing incident that resulted in unauthorized access to a limited number of employee email accounts. The unauthorized access period spanned from July 6 to July 12, 2019, though the organization did not disclose the exact number of compromised accounts. An investigation was initiated following the discovery but could not conclusively determine whether any emails or attachments within the affected accounts were actually viewed by unauthorized parties. This uncertainty necessitated notifications to all individuals potentially impacted by the breach. The compromised email accounts contained patient information including names, dates of birth, medical record numbers, and clinical details related to medical care. UC Health publicly disclosed the incident via a press release but had not yet initiated patient notifications through postal mail at the time of the September 4, 2019 report.

The organization opted to notify affected patients by postal letter despite the inability to confirm actual misuse of data. The notification process explicitly excluded offers of credit monitoring or identity protection services, which are commonly provided in healthcare breaches involving sensitive identifiers. Clinical information exposed in the emails posed potential privacy risks but did not include financial data or Social Security numbers based on UC Health's disclosure. The six-day window of unauthorized access suggested sustained attacker activity following the initial phishing compromise. UC Health's public statement emphasized the limited scope of impacted accounts but did not elaborate on technical containment measures or employee retraining implemented post-incident. Patient notifications remained pending nearly two months after the breach discovery date, with no supplementary support services announced for impacted individuals.