In June 2015, the California Office of the Attorney General disclosed a data breach at the **University of California Irvine Medical Center**, where an employee improperly accessed patient records over an extended period—from **June 2011 to March 2015**. The unauthorized access exposed **personal health information (PHI)** of an **unknown number of patients**, though investigations found **no evidence of sensitive data being stolen or misused**. The breach stemmed from internal misconduct, highlighting vulnerabilities in **employee access controls and monitoring protocols**. While the exposed data included patient details, the lack of confirmed theft or external exploitation mitigated some risks. However, the prolonged duration of the breach (nearly **four years**) raised concerns about **compliance with healthcare privacy regulations (e.g., HIPAA)** and the potential for **reputational damage** due to the mishandling of confidential medical records. The incident underscored the need for stricter **audit trails, access restrictions, and employee training** to prevent similar internal breaches in healthcare institutions.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-56428
TPRM report: https://www.rankiteo.com/company/uc-irvine-medical-center
"id": "uc-952091725",
"linkid": "uc-irvine-medical-center",
"type": "Breach",
"date": "6/2011",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Patients)',
'industry': 'Healthcare',
'location': 'Orange, California, USA',
'name': 'University of California Irvine Medical '
'Center',
'type': 'Healthcare Provider / Academic Medical '
'Center'}],
'attack_vector': 'Insider Access Abuse',
'data_breach': {'data_exfiltration': 'No Evidence',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': 'Likely (PHI includes '
'PII elements)',
'sensitivity_of_data': 'High (Health Records)',
'type_of_data_compromised': 'Personal Health Information '
'(PHI)'},
'date_detected': '2015-03-01',
'date_publicly_disclosed': '2015-06-17',
'description': 'An employee improperly accessed patient records between June '
'2011 and March 2015 at the University of California Irvine '
'Medical Center. The breach potentially affected an unknown '
'number of patients, exposing various personal health '
'information, but no evidence was found of sensitive '
'information being removed.',
'impact': {'brand_reputation_impact': 'Potential Reputational Harm '
'(Healthcare Trust Erosion)',
'data_compromised': ['Personal Health Information (PHI)'],
'identity_theft_risk': 'Low (No Evidence of Data Exfiltration)'},
'investigation_status': 'Completed (No Evidence of Data Theft)',
'motivation': 'Unknown (Potentially Unauthorized Curiosity or Malicious '
'Intent)',
'post_incident_analysis': {'root_causes': 'Lack of Access Controls / '
'Monitoring for Insider Threats'},
'references': [{'date_accessed': '2015-06-17',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA (Potential '
'Violation)',
'California Data Breach '
'Notification Law'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'threat_actor': 'Internal Employee',
'title': 'University of California Irvine Medical Center Data Breach '
'(2011-2015)',
'type': 'Data Breach (Insider Threat)'}