Hackers Steal 160,000 Health Records From UC Berkeley Database

Hackers Steal 160,000 Health Records From UC Berkeley Database

The University of California, Berkeley said Friday that overseas hackers had broken into a computer database containing health care and other personal information of 160,000 students, alumni and their families.

Altogether, the stolen data included Social Security numbers, health insurance information and nontreatment medical information, such as immunization records and the names of some of the physicians the victims have seen for diagnoses or treatment. However, personal records, such as patients' treatments and therapies, were stored in a separate system overseen by University Health Services (UHS) and not affected by the data breach, university officials said in a statement.

Officials have since removed from service the exposed databases, and alerted the FBI and campus police. They also have commissioned the services of an independent IT security firm to investigate the incident. Officials said that evidence indicates the attack was launched by hackers based overseas. During the attack, the hackers infiltrated a public Web site while bypassing additional secured databases stored on the same server.

Victims include current and former Berkeley students dating back to 1999, in addition to their parents and spouses who were under UHS health care coverage or received services. Data breach victims also include about 3,400 Mills College students, dating back to 2001, who received or were eligible to receive Berkeley's health care services.

http://www.crn.com/security/217400074;jsessionid=WIZMTVGQSTB1EQSNDLPCKH0CJUNN2JVN

We were alerted yesterday morning. Evidently this hacking has been going on for months.

From the same article...

"The breach occurred on Oct. 9, 2008, and continued until April 9, 2009, before a campus IT administrator discovered messages left by the hackers while conducting routine maintenance.

The university notified all affected data breach victims after learning of the hack. The university issued e-mails Friday to some victims, while others are expected to receive notification letters next week. The communication included tips on steps victims should take to protect themselves against identity theft. Administrators advised affected individuals to place a fraud alert on their credit reporting accounts. The university has established a Web site containing contact information for key resources and has set up a 24-hour hotline to field questions for data breach victims.

Once the breach was discovered, university officials activated an emergency security incident team to investigate the scope and impact of the breach."