UCSF Statement: Email Phishing Breach

April 26, 2023

In compliance with the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, UCSF is providing notice to local news media regarding an email breach that included the names and some other identifiers of some of our patients.

On Feb. 9, 2023, UCSF was the target of a phishing attack, in which 11 UCSF email accounts were compromised. Upon discovery of the incident, UCSF acted immediately to secure the impacted accounts and to investigate the scope of the intrusion. Our investigation confirmed the breach impacted only email. However, on Feb. 28, 2023, we determined that those compromised email accounts included patient identifiers and health information.

The security of protected health information at UCSF is of utmost importance. While there is no known evidence that there has been any attempted use of the information in the emails, UCSF is responding with the highest level of caution and concern.

Notification letters have been sent to the 676 UCSF Health patients whose information was involved, and UCSF has set up a special phone service to provide assistance to these individuals. The California Department of Public Health and federal authorities have been alerted, and the California Attorney General and HHS Secretary are being notified.

Additionally, individuals who receive the notification are being encouraged to closely monitor any “Explanation of Benefits” sent by their insurers and to follow up on any payments that are not recognized.

UCSF is committed to maintaining the privacy and security of health information and has taken robust steps to protect patients’ information, including instituting strong security standards and controls and providing ongoing privacy and security training for all employees. Additionally, all employees involved in this incident are receiving re-training in privacy and security.

Should you have any questions about this matter, please call our toll-free number at (877) 809-1270, extension 32750.