The attackers may have taken information related to health-insurance coverage and certain medical information as well as the University Health Services (UHS) medical-record number, dates of visits or names of healthcare providers seen, as well as information such as Social Security Number, according to the statement released by UC Berkeley.
About 160,000 individuals are believed to be impacted, including about 3,400 Mills College students whose medical care is tied to health care at Berkeley. Social Security Numbers are used as unique identifiers for students enrolled in the campus Student Health Insurance Plans, the university says.
"The university deeply regrets exposing our students and the Mills community to potential identity theft," said Shelton Waggener, UC Berkeley"s associate vice chancellor for information technology and CIO, said in the statement.
The university believes the server breach began on Oct. 9 last year and continued until April 9, when administrators performing maintenance identified messages left by the hackers, whose attack was launched from overseas. The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server, the university contends.
The Berkeley administrators do not believe the hackers were able to steal extensive medical records, said to be stored on a different system.
"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services, adding the university is "deeply troubled" by the breach but that "medical records were not touched in this incident. We anticipate that the audit of our systems will inform UHS and the campus of steps that can be taken to continually improve security."
Berkeley is working with campus police and the Federal Bureau of Investigation in investigating the data breach, and the university urged victims of the incident to contact the university hotline established to answer questions at 1-888-729-3301 and to consider placing a fraud alert on their credit-reporting accounts. The campus has also set up a , for information.
a few years back because of a couple of security breaches, including a stolen laptop containing personal information on graduates and a compromised database of California residents.