Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 7th, 2008

University Of California At San Francisco Patients Records Exposed

Information on thousands of University of California at San Francisco (UCSF) patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft. The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients’ physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later. The breach was discovered when the hospital was alerted that a patient’s name had been queried on the Internet “and it was listed in association with UCSF”. After the breach was discovered, the hospital said it required Target America to hire “an objective third-party firm” to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year “if a query for a specific name was made.” Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, patients could nonetheless be at risk for harm. To commit medical identity theft, patient’s name, address and the name of the hospital needed. If there is also a doctor’s name and the medical department where the patient was being treated, it is even better. While there is also a medical record number, it is a real disaster for patients. Sensitive information can be used by employers, health insurers and other entities to discriminate thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit potential or existing donors. According to UCSF director of news services, immediate action was taken to close off the information. Ten days after the breach’s discovery, UCSF ended its business agreement with Target America. Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials say there’s no indication of identity theft to date.

Share this item with others:

More on CyberInsecure:
  • Movie Sharing Program Causes A Security Breach In University Of California San Francisco
  • University Of Massachusetts Amherst’s Health Services Network Breached By Hackers
  • Staten Island University Hospital Patients Personal Records Stolen In December
  • University Of Utah Hospitals & Clinics Stolen Backup Tape Contained 2.2 Million Billing Records
  • Tapes With Over 2 Million Records Stolen From University of Miami

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: University Of California At San Francisco Patients Records Exposed

    One Response to “University Of California At San Francisco Patients Records Exposed”

    1. Niccolo Caldararo Says:
      January 22nd, 2011 at 1:09 pm

      How do I get copies of my medical records sent to my current physician at Kaiser? I was a patient under Blue Cross in the 1980s and 1990s.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.