Medical information on thousands of University of California at San Francisco (UCSF) School of Medicine patients was available on the internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft.
The breach was discovered Oct. 9, 2007, but the hospital did not send out notification letters to the 6,313 affected patients until April 4, nearly six months later, according to the San Francisco Chronicle.
The data accessible online included names, patient addresses, and names of the departments where medical care was provided, the Chronicle reported. Some patient medical record numbers and the names of the patients’ physicians also were available online.
“This is a large and very significant data breach,” Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research and consumer education group, told the Chronicle. “To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients.”
Hospital officials reported that there has been no indication of identity theft to date, and also stressed that Social security numbers were not exposed.
UCSF had shared information on its patients with a vendor, Target America, which mines electronic databases amassing information about a nonprofit’s potential or existing donors, the Chronicle reported.
Corinna Kaarlela, UCSF director of news services, told the Chronicle that immediate action was taken to close off the information exposure. Ten days after the discover of the breach, UCSF ended its business agreement with Target America. However, since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
After the breach was discovered, the hospital told the Chronicle that it required Target America to hire “an objective third-party firm” to investigate. UCSF received the forensic analysis report March 26, which showed that information was potentially accessible from July 1 to Oct. 9 of last year “if a query for a specific name was made.”