UC Berkeley alerts students to health data breach

By Molly Merrill
10:21 AM

Officials at the University of California, Berkeley are notifying more than 160,000 individuals that their personal information may have been stolen after hackers attacked restricted computer databases in the campus' health service center.

The databases stored personally identifiable information used for billing, such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen or, for participants in the Education Abroad Program, certain information from the self-reported health history.

Officials say hackers did not access University Health Services' medical records, which include patients' diagnoses, treatments and therapies. Those records are stored in a separate system.

"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."

On April 21, UC Berkeley computer administrators identified that the electronic databases in the University Health Services had been breached by overseas criminals, and they removed the computers from service. According to officials the hackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server. Due to messages left by the hackers it has been determined by administrators that the server breach began on October 9.

Notifications are being sent to former UC Berkeley students (as well as their parents and spouses, if linked to insurance coverage) who had University Health Services coverage or received services. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, healthcare at UC Berkeley.

"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and its chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."

The data for UC Berkeley students, alumni and their parents date back to 1999. The information involving Mills College former and current students dates back to 2001.

The university's internal investigation is being carried out in collaboration with an external auditor, Price Waterhouse Coopers, and will work to identify any shortcomings in its security systems, practices and policies and implement recommendations to prevent future breach prevention.