Elizabeth Fernandez of the San Francisco Chronicle reports:
Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical-identity theft, The Chronicle has learned.
The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients’ physicians also was available online.
The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.
[…]
UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit’s potential or existing donors.
Target America, whose Web site says it maintains “the highest standards of security,” tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors “who could be giving you more.” Additionally, it unearths financial information about donor friends and business acquaintances – even offering maps of a donor’s neighborhood.
The breach was discovered, said UCSF officials, when the hospital was alerted that a patient’s name had been queried on the Internet “and it was listed in association with UCSF.”
Corinna Kaarlela, UCSF’s director of news services, said immediate action was taken to close off the information. Ten days after the breach’s discovery, UCSF ended its business agreement with Target America.
[…]
Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
Hospital officials said it contracted with the company to assist “with identifying names of individuals who could potentially receive communications from UCSF.”
“Identification of potential donors who were active in the philanthropic community was one objective, along with identifying individuals who had corporate relationships, such as board service, or were affiliated with relevant community programs and health/care biomedical organizations,” Kaarlela said.
After the breach was discovered, the hospital said it required Target America to hire “an objective third-party firm” to investigate. UCSF received the forensic analysis report on March 26. It showed “that information was potentially accessible from July 1 to Oct. 9 last year “if a query for a specific name was made.” Notification letters were mailed to patients April 4.
Full story – San Francisco Chronicle