TrendHackers break into UC Berkeley health-services databases

Published 11 May 2009

Hackers began breaking into the databases back in October, and continued to steal information until breach was discovered on 9 April; about 160,000 individuals believed to be affected by breach

Last week we reported about hackers breaking into the database of a Virginia pharmaceutical clearing house and encrypting it — and the hundreds of thousands of prescriptions it contained. The hackers are demanding $10 million to un-encrypt the database so it may be used again (Virginia health authorities have said that the database has been backed-up, so that the hackers’ encryption would not disrupt service to patients). On Friday, the University of California at Berkeley disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.

Networkworld’s Ellen Messmer writes that The attackers may have taken information related to health-insurance coverage and certain medical information as well as the University Health Services (UHS) medical-record number, dates of visits or names of healthcare providers seen, as well as information such as Social Security Number, according to the statement released by UC Berkeley.

About 160,000 individuals are believed to be impacted, including about 3,400 Mills College students whose medical care is tied to health care at Berkeley. Social Security Numbers are used as unique identifiers for students enrolled in the campus Student Health Insurance Plans, the university says. “The university deeply regrets exposing our students and the Mills community to potential identity theft,” said Shelton Waggener, UC Berkeley”s associate vice chancellor for information technology and CIO, said in the statement.

The university believes the server breach began on 9 October last year and continued until 9 April, when administrators performing maintenance identified messages left by the hackers, whose attack was launched from overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server, the university contends.

The Berkeley administrators do not believe the hackers were able to steal extensive medical records, said to be stored on a different system.

Patient privacy and quality care are cornerstones of our services,” said Steve Lustig, associate vice chancellor for health and human services, adding the university is “deeply troubled” by the breach but that “medical records were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security.”

Berkeley is working with campus police and the Federal Bureau of Investigation in investigating the data breach, and the university urged victims of the incident to contact the university hotline established to answer questions at 1-888-729-3301 and to consider placing a fraud alert on their credit-reporting accounts. The campus has also set up a Web site, for information.