By Erin Allday, SF Chronicle
Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.
The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.
The university is not identifying the physician.
A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.
The patients have all been notified of the security breach.
Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.
For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.
In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.
Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?
Related articles by Zemanta
- Verified by Visa Phishing Scam (pindebit.blogspot.com)
- Sophisticated phishing attack and countermeasures (deurainfosec.com)
December 16th, 2009 6:25 pm
Healtcare organizations have ran out their slack time. Time is now to get on this band wagon of complince before it is too late. Fines and jail time should be the least of the worries for C level at this moment, security breach in state of non-compliance is a business limiting risk which they simply can't afford.
May 28th, 2010 6:31 am
Interesting!!
know more about security tools which makes it easy to quickly detect, diagnose, and resolve performance issues with your dynamic network.
check it at
http://www.solarwinds.com