Breach, Industry Regulations, Incident Response

UCSD Health sued by breach victims after undetected email hack

UC San Diego Health’s Jacobs Medical Center is seen in this photo from 2017. (TritonsRising via Wikimedia Commons)

The University of California San Diego Health is facing two breach lawsuits filed in the U.S. District Court of Southern California by two patients impacted by an undetected email hack. The suit makes a number of allegations around UCSD Health's security failings, including negligence.

UCSD Health is made up of multiple medical centers, specialist care sites, and outpatient facilities. With 495,949 patients affected by the incident, the incident remains among the top 10 largest data breaches reported in the health care sector in 2021.

In late-July, UCSD health first reported it experienced a four-month hack of multiple employee email accounts, which compromised health, financial and claims data. An investigation, led with support from the FBI and a third-party cybersecurity firm, was ongoing at the time of the initial breach notification. A subsequent, more detailed notice was released in early September.

Investigators concluded the account hack occurred between Dec. 2, 2020, and April 8, 2021. During the intrusion, the attacker may have accessed or acquired a subset of data from some patients, students and employees, including a range of protected health and Social Security numbers, along with troves of identifiers and financial account details.

The lawsuit explained that the intrusion was first discovered on March 12, which was not provided in either notice. Under the Health Insurance Portability and Accountability Act, providers are required to notify patients within 60 days of discovering a data breach, not at the close of an investigation.

The issue of failing to timely notify is among the arguments raised in the lawsuit filed by Denise Menezes, a patient of the UCSD Health’s Moores Cancer Center. Although UCSD posted a notice on its site about the email incident in July, patient notices were not sent until September.

The second lawsuit was filed by Richard Hartley and alleges claims of negligence, invasion of privacy, violations of the California Consumer Privacy Act and the Confidentiality of Medical Information Act, unjust enrichment, and breaches of implied contract, fiduciary duty, and confidence.

The Menezes lawsuit claims the incident occurred due to the health system failing to implement reasonable security procedures and policies, in addition to failing to implement measures to adequately monitor and detect suspicious activity and failing to train its employees with “basic cybersecurity training” to prevent phishing attacks.

It should be noted there are no security tools able to prevent all phishing attacks, particularly with the rise and effectiveness of social engineering schemes.

The UCSD Health notice makes no mention of phishing, but victims claim the incident was caused by employees responding to malicious emails. In doing so, the attackers gained access to the network and proliferated, undetected across connected devices for months “as the organization had inadequate security controls in place to monitor for unusual and irregular activity.”

The victim also claims UCSD did not disclose “material facts surrounding its deficient data security protocols.” As a result of these inadequate security measures and subsequent failures, the lawsuit further purports that patients now face a significant risk of medical-related identity theft and fraud, among other identity-related crimes.

The lawsuit argues the security enhancements added by the health system in response to the incident are “industry-standard measures that should have been implemented long before the data breach occurred.” As noted in the filing, the incident is among two other data breaches reported by UCSD Health since 2016.

Lastly, UCSD Health is accused of violating HIPAA and other federal regulations.

“UCSD Health had the knowledge and resources to prevent a breach — and in fact made significant expenditures to promote its growing health care practice — but neglected to make corresponding investments in data security to ensure the thousands of sensitive files in its possession were securely stored,” the lawsuit claims.

In terms of harm, the Menezes lawsuit outlines a number of potential fraud-related activities, along with lost value of their personally identifiable information, loss of privacy and emotional stress, among other financial harms.

Meanwhile, the Hartley lawsuit argues he suffered actual injury from the potential data theft, due to paying for UCSD Health services that he would not have done if the provider “disclosed that they lacked data security practices adequate” to protect patient data. Other harm claims include “imminent and impending injury arising from the present and continuing risk of fraud and identity theft.” 

However, a June Supreme Court decision established that only individuals concretely harmed by a breach violation have standing to seek damages against an entity. In addition, the “risk of harm” appears to be a dead letter issue, outside of injunctive relief claims that demonstrate risk of harm in the future is both imminent and substantial.

In the last year alone, two prime examples demonstrate the need to demonstrate harm in actuality. The U.S. District Court for Pennsylvania’s Eastern District dismissed two out of three claims made in a lawsuit against Universal Health Services in May, directly citing the suit did not provide evidence of harm.

The UHS lawsuit stemmed from a network outage brought on by a September ransomware attack. One claim was allowed to continue as the patient’s surgery was delayed for six weeks because of the cyberattack. The man was unable to return to work, lost his job, and the patient was forced to purchase alternative insurance at a higher rate.

And in early February, the Delaware Superior Court tossed a lawsuit against Brandywine Urology Consultants as the victims failed to provide evidence of injuries and losses caused by a 2020 ransomware attack against the specialist.

Still, the lawsuits are seeking to recover the value of PII lost during the account hack and “permitted through UCSD Health’s wrongful conduct.” The victims are also seeking injunctive or other equitable relief.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.