To learn more:

24-hour call center:
(888) 729-3301

Frequently asked questions

Q. What happened?
A. In early April, computer administrators within UC Berkeley's University Health Service (UHS) discovered that hackers had breached a computer server containing electronic databases used to store personally identifiable information belonging to a large number of UHS clients.

UHS alerted the campus CIO, Associate Vice Chancellor Shelton Waggener, who immediately activated an emergency security incident team to investigate the scope and impact of the security breach. In addition, the campus informed local and federal law enforcement agencies with jurisdiction over cybercrimes. Evidence uncovered to date suggests that this attack was launched by highly skilled criminal operations based overseas.

The day that the breach was discovered every UHS database with possible external exposure was taken off line and completely isolated. The data are now completely protected from any future attempt to breach the system.

UC Berkeley computer administrators determined on April 21, 2009 that a number of electronic databases in UHS had been breached by overseas criminals. The databases stored personally identifiable information used for billing such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history. UHS electronic medical records, which include details of patients' diagnoses, treatments and therapies, are stored in a separate system and were not affected in this incident.

The evidence to date suggests that the theft began on October 9, 2008 and continued until April 6, 2009. After the breach was identified by UHS staff, the exposed databases and applications were removed from service to protect them from continued theft while a complete investigation into the cause of the breach is underway.

Q. Whose information was on these databases?
A. The university has a complete list of individuals on the breached databases and, as the forensic investigation continues, it will become clearer what data were actually stolen from each of the approximately 160,000 individuals. (This number includes duplicates that may appear on multiple databases.) Erring on the side of caution, the university decided to notify every individual whose legally protected personal information may have been exposed.

The databases stored personally identifiable information belonging to UHS clients, including UC Berkeley and Mills College students who contracted with UHS for student health services.

The victims of this crime are current and former students (as well as their parents and spouses if linked to insurance coverage), who had UHS health care coverage or received services.

In addition, Mills College students who received, or were eligible to receive healthcare on the UC Berkeley campus were also affected.The stored information from UC Berkeley student records dates back to 1999, and information on former and current Mills College students dates back to 2001.

Q. What sort of information was on the databases?
A. The personally identifiable information stored on these databases and compromised by the hackers contained Social Security numbers, student identification numbers, names, dates of birth, addresses and contact information. In addition, non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or, for participants in the Education Abroad Program, certain information from the self-reported health history.

UHS electronic medical records, which include details of patients' diagnoses, treatments and therapies, are stored in a separate system and were not affected in this incident.

The illegally accessed databases did not hold any information about bank accounts, credit card accounts or driver's licenses.

Q. Why was it necessary for UHS to keep Social Security numbers?
A. Social Security numbers (SSNs) are used as a unique identifier for students enrolled in the Student Health Insurance Plan (SHIP). SSNs are included on the lists of students to be enrolled in SHIP that are sent securely encrypted to Anthem Blue Cross, the medical plan administrator, and MetLife, the dental plan carrier. Using the SSN, Anthem and MetLife can identify whether a student has primary coverage through another health plan. Coordinating benefits between plans saves students money by reducing out of pocket expenses for services that may be covered by other health insurance. SHIP does not use SSNs on member ID cards or in other ways that are prohibited by law

Q. Exactly what kind of medical and health information was stored in the breached databases?
A. The databases contained the following types of medical and/or health insurance information:

• Information about behavioral health services but not treatment received by students, such as treating provider's name, date of first visit, medical record number, and, if the client is deceased, cause of death. No treatment notes created by clinicians during sessions were included in the database.
• Certain health history information submitted by students applying for participation in the Education Abroad Program.
• Information about student immunizations.
• Medical record numbers of students who withdrew from the University for medical reasons.
• Health insurance status of UC Berkeley and Mills College students enrolled in the Student Health Insurance Plan.
• Health information plan name and policy number of the individual carrying insurance for themselves or a dependent, which was used to request a waiver of enrollment in the Student Health Insurance Plan.

Q. Why was it necessary for UHS to have and store this information?
A. Most of the information about UHS clients---and, in some cases, their parents---was essential in order to ensure students' compliance with the UC health insurance requirements, to grant eligibility for treatment and access to services, and to ensure maintenance of updated immunization records.

Q. Why was ten-year-old information kept?
A. University policy stipulates that student health service records be kept for at least 10 years.

Q. Was the personally identifiable information encrypted?
A. All electronic communication is encrypted; however, on the central service system, none of the data are encrypted so we can access the information. Although encryption is required by policy for data on portable devices such as laptop computers, the online applications penetrated by the criminals were breached at the application layer where encryption would not have prevented theft.

Q. Is it possible to request that personal information be deleted from UHS records?
A. University Health Services is required by state law to retain medical information for seven years following the last date of service, and by University policy to maintain medical information for 10 years. As mentioned previously, all of these databases are now completely isolated and will not be returned to service until we fully understand the reasons for the security breach and have in place the best possible technologies and procedures to protect the data in the future.

Q. Could this breach have been prevented?
A. While the intruders were highly skilled and broke in using a number of different techniques, it remains to be determined to what extent the data theft could have been prevented. In order to ensure that these issues are fully scrutinized, the university has engaged data security experts to conduct a full investigation that will identify any shortcomings in our security systems, practices and policies. The campus is committed to implementing recommendations that address the root causes of this security breach and that will reduce the likelihood of a similar incident in the future

Q. Why did it take so long (6 months) to detect the intrusion?
A. As previously noted, this was a highly skilled operation. The evidence suggests that the intruders began to probe the system in September 2008, and successfully broke in to the server and its databases in early October. It was only after their final theft of data in April 2009 that the breach was detected after the hackers left messages on the server. At that point, campus technology experts were able to determine the scope and duration of thefts. The university's internal investigation is being carried out in collaboration with an external auditor, Price Waterhouse Coopers. The campus is committed to implementing recommendations that address the root causes of this security breach and improve our ability to fend off future attacks against any of the university's computer systems.

Q. Why did it take almost a month for the university to inform individuals whose information was stored in these databases?
A. While signs of an intrusion were first detected on April 8, it took forensic technology experts until April 21 to determine which databases had been breached. Since then a team of more than 20 people from across the campus have been working seven days a week to determine the exact scope and nature of the breach, analyze millions of log entries, track and analyze more than 2 million discrete attacks on the server, narrow down the list of potentially affected individuals and confirm which data were actually stolen.

The campus leadership has been monitoring the situation daily with the goal of sending out an alert as soon as possible. The criteria for timing of public notification included when most, but not all of the information about potentially impacted individuals would be available and the time required to identify and hire a firm to operate a call-in center. Ultimately, we decided to err on the side of caution and warn individuals without yet knowing for certain exactly which data was actually stolen from each of the approximately 160,000 people that we are notifying. It should be noted that the interval between the determination on April 21 of what, exactly, was breached and the launch of the notification effort is consistent with the response timing of other institutions and corporations in similar circumstances.

Q. How are people being notified?
A. On May 8, 2009, the university began to inform approximately 160,000 people, notifying them that some of their personal information had been stolen from the breached databases. Email messages were sent to individuals for whom the university has addresses. Two separate versions of a notification letter were sent: one for those whose Social Security numbers were stolen and a second to those who may have lost health insurance or non-treatment medical information. Due to the decision to err on the side of caution and rapidly alert every individual whose information may have been exposed, some of the people being notified will receive two separate letters.

Once the email and letters were sent out the campus activated the Data Theft Hotline (888) 729-3301. Trained personnel are available to respond to questions and render assistance 24 hours a day, seven days a week until further notice.

In addition, the university has provided local, state and national media with comprehensive information about the incident as part of our effort to ensure that every means available is used to alert and inform potentially affected individuals. A dedicated web site — datatheft.berkeley.edu —has also been established and will be updated as new information about the incident and the university's response becomes available.

Q. If a person did not receive a letter or email notification does that mean there is no chance their data was stolen?
A. There is the possibility that UC Berkeley does not have recent contact information on file for some of the individuals whose data were exposed or stolen. In order to ensure that every effort is made to contact every potentially affected individual the University is employing external services who specialize in finding an individual's current contact information. If you have not received a notice, but have good reason to believe that your data may have been stored on one of the UHS databases, please contact the Data Theft Call Center: (888) 729-3301.

Q. What is UC Berkeley doing to improve the security of personal information and prevent similar incidents in the future?
A. Once suspicious activity was detected, UC Berkeley blocked access to the affected information and notified the FBI. The databases that were compromised were isolated and protected. UC Berkeley has also hired an outside internet security firm to work with campus information technology personnel in order to conduct a complete audit and comprehensive review of all information security measures. In addition, the university has launched an extensive effort to ensure that any databases with a set-up similar to UHS are isolated, secured and upgraded in order to forestall future breaches.

The university is committed to taking any and all steps necessary to enhance protection of its data and, to the greatest extent possible, prevent future thefts. In recent years, UC Berkeley has added and strengthened firewalls and intrusion detection systems, encrypted the data flows containing sensitive information, and increased vigilance in identifying threats and securing servers. In addition, access to Social Security numbers has been restricted to only those with a compelling business need, and Social Security numbers have been removed from most computer screens and printed reports.