Information for Mills College students
What happened?
In April, IT experts determined that criminal hackers had breached electronic databases belonging to UC Berkeley's University Health Services (UHS).
The databases were used to store personally identifiable information belonging to UHS clients, including former and current UC Berkeley and Mills College students who received, or were eligible to receive, medical services on the UC Berkeley campus.
Information belonging to former and current Mills College students dates back to 2001, due to a contract the college had with UHS for the provision of health services to Mills students.
Stolen information belonging to former and current UC Berkeley students and their parents dates back as far as 1999.
It has been confirmed that the hackers were able to steal Social Security numbers, health insurance information and non-treatment medical information such as UHS medical record numbers, dates of visits or names of providers seen.
UHS electronic medical records that include details of patients' diagnoses, treatments and therapies are stored in a separate system and were not affected in this incident.
Not all of the people whose information was stolen had Social Security numbers stolen.
Not all of the people whose data may have been exposed had health insurance information or non-clinical medical information stolen.
The illegally accessed databases did not hold any information about bank accounts, credit card accounts or driver's licenses.
The data thefts began on October 9, 2008, and continued until April 6, 2009.
How are people being notified?
On May 8, 2009, UC Berkeley began working to send emails and letters to individuals whose information may have been stolen. The letters contain information about what was stolen and steps people can take to minimize the risk of identity theft.
Two separate versions of the notification letter were sent; one for those whose Social Security numbers were stolen and a second to those who may have lost health insurance or non-clinical medical information.
People who lost both SSNs and health insurance information or non-clinical medical information will receive two letters.
Who should I contact?
Once the e-mails and letters were sent out. the campus activated the Data Theft Hotline (888) 729-3301. Trained personnel will be available to respond to questions and render assistance 24 hours a day, seven days a week, until further notice.
UC Berkeley has established a dedicated website: datatheft.berkeley.edu. The state of California also has a comprehensive website on identity theft.
How does someone know if their information was on any of the affected databases?
If they received a notification letter or e-mail from UC Berkeley, their name appears in the illegally accessed databases. There may, however, be some individuals who did not receive notification due to a recent change of address or other pertinent contact information. Those who don't know whether they are in the compromised database should phone the Data Theft Hotline, (888) 729-3301.
If someone's name was on one of the breached databases, does that mean they are already the victim of identify theft?
No. The fact that someone had access to their information doesn't mean they are a victim of identity theft and/or that their information has already been used by the criminals responsible for the breach.
What steps is UC Berkeley taking to improve the security of personal information and prevent similar incidents in the future?
Once suspicious activity was detected, UC Berkeley blocked access to the affected information and notified the FBI. The databases that were compromised were isolated and protected. UC Berkeley has also hired an outside Internet security firm to work with campus information technology personnel in order to conduct a complete audit and comprehensive review of all information security measures.