DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Data breach affects nearly 900 patients from two San Francisco hospitals

Posted on May 12, 2018 by Dissent

Catherine Ho reports:

The personal information of nearly 900 patients of San Francisco General and Laguna Honda hospitals was breached after a former employee of one of the hospitals’ vendors got unauthorized access to the data, the San Francisco Public Health Department said Friday.

The data included patients’ names, dates of birth, medical record numbers and details of their medical conditions, diagnoses, treatment and care plans. It did not include Social Security numbers, driver’s license numbers or financial account numbers, according to officials with the health department, which runs the health network that includes the two hospitals.

The information of 895 patients was accessed between Nov. 20 and Dec. 9, and the patients involved have been notified, officials said.

Read more on SF Chronicle.  This was an insider-wrongdoing breach where an employee of their transcription service provider, Nuance Communications in Massachusetts, reportedly has also accessed patient information from other clients as well.  If the name “Nuance” sounds familiar, it may be because they lost almost $100 million in a NotPetya attack last year.

The following notice was posted on the San Francisco Public Health Department home page yesterday:

Vendor security incident: unauthorized access of medical record information
No evidence that personal information has been used for any purpose

SAN FRANCISCO (May 11, 2018) — The San Francisco Department of Public Health today informed 895 patients of a security incident involving personal information handled by a third-party medical transcription service. The transcriptions covered visits to the San Francisco Health Network, the Health Department’s system of hospitals and clinics.

The incident happened at Nuance Communications, a Massachusetts-based company contracted to provide medical transcription services. The information was accessed last year from November 20 to December 9. Notification to patients was delayed at the request of the FBI and the U.S. Department of Justice, pending their criminal investigation into the incident. The investigation determined that a former Nuance employee breached Nuance’s servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department has informed Nuance that it does not appear that any of the information taken was used or sold for any purpose, and that all of the data have been recovered from the former employee.

The information accessed included personal data such as name, date of birth, medical record number, patient number, and information dictated by the provider such as patient condition, assessment, diagnosis, treatment, care plan and date of service.

The incident did not include information such as Social Security number, Driver’s License number or financial account numbers.

“The San Francisco Department of Public Health is committed to maintain the privacy of our patients and takes its responsibility to address privacy incidents seriously,” said Roland Pickens, Director of the San Francisco Health Network.  “We sincerely apologize for any inconvenience or concern that this situation may cause. All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process.”

The San Francisco Health Network has sent a letter to all the affected patients, who were seen at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital. The Health Department also has notified the California Department of Public Health and the California Attorney General.

San Francisco Health Network patients with questions can contact the Health Department’s Privacy Office toll free at (855) 729-6040 and reference “Nuance” or #2017-122 in the message.

Category: Health DataInsiderSubcontractorU.S.

Post navigation

← Cerebral Palsy Research Foundation of Kansas notifying 8,300 clients after discovering data had been exposed for 10 months
CA: Teen who phished his school district: “It was like stealing candy from a baby” →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.