The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment.
UC Berkeley administrators pointed out that the hackers fortunately did not access University Health Services's (UHS) medical records, which include patients' diagnoses, treatments and therapies. Those records are stored in a separate system and were not affected by this crime.
The campus learned of the breach in April, immediately removed from service the exposed databases to prevent any further attacks, and alerted campus police and the FBI. In all, more than 160,000 individuals will be alerted, including those who had their Social Security numbers accessed and others who may be at risk for identity theft. E-mails were issued starting today, and letters should start arriving over the next week. These communications will also include guidance on steps these individuals should take to guard against potential identity theft. A hotline has been established to answer any questions from individuals who received notices.
The victims of this crime are current and former UC Berkeley students (as well as their parents and spouses, if linked to insurance coverage) who had UHS health care coverage or received services. The campus is also sending notification letters to approximately 3,400 Mills College students who received, or were eligible to receive, health care at UC Berkeley. The data for UC Berkeley students, alumni and their parents date back to 1999. The information involving Mills College former and current students dates back to 2001.
The server breach began on Oct. 9, 2008, and continued until April 9, 2009, when campus computer administrators performing routine maintenance identified messages left by the hackers. Administrators immediately activated an emergency security incident team to investigate the scope and impact of the breach; evidence uncovered to date suggests that the attack was launched by hackers based overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley's associate vice chancellor for information technology and its chief information officer. "The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks."
Individuals whose names and personal data were stolen should consider placing a fraud alert on their credit reporting accounts. The campus has set up a Web site, http:/datatheft.berkeley.edu, to assist these individuals with contact information for key resources, and it has established a 24-hour Data Theft Hotline, 888-729-3301, to answer their questions.
Social Security numbers are used as a unique identifier for students enrolled in the campus's Student Health Insurance Plans (SHIP). Many insurance carriers use Social Security numbers as unique identifiers in their systems. Coordinating benefits between plans saves students money by reducing their out-of -pocket expenses for services that may be covered by other health insurance. The campus's insurance plan does not use Social Security numbers on member ID cards or in other ways prohibited by law.
Most of the information about the UHS clients - and, in some cases, about their parents - was essential to ensure students' compliance with the UC health insurance requirement, to grant eligibility for treatment and access to services, and to ensure maintenance of updated immunizations records.
The hackers may have stolen information related to health insurance coverage and some medical information such as one's immunization history, UHS medical record number, dates of visits or names of providers seen or, for a student participating in UC Berkeley's Education Abroad Program, certain information from his or her self-reported health history.
"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."