Catherine Ho reports:
The personal information of nearly 900 patients of San Francisco General and Laguna Honda hospitals was breached after a former employee of one of the hospitals’ vendors got unauthorized access to the data, the San Francisco Public Health Department said Friday.
The data included patients’ names, dates of birth, medical record numbers and details of their medical conditions, diagnoses, treatment and care plans. It did not include Social Security numbers, driver’s license numbers or financial account numbers, according to officials with the health department, which runs the health network that includes the two hospitals.
The information of 895 patients was accessed between Nov. 20 and Dec. 9, and the patients involved have been notified, officials said.
Read more on SF Chronicle. This was an insider-wrongdoing breach where an employee of their transcription service provider, Nuance Communications in Massachusetts, reportedly has also accessed patient information from other clients as well. If the name “Nuance” sounds familiar, it may be because they lost almost $100 million in a NotPetya attack last year.
The following notice was posted on the San Francisco Public Health Department home page yesterday:
Vendor security incident: unauthorized access of medical record information
No evidence that personal information has been used for any purposeSAN FRANCISCO (May 11, 2018) — The San Francisco Department of Public Health today informed 895 patients of a security incident involving personal information handled by a third-party medical transcription service. The transcriptions covered visits to the San Francisco Health Network, the Health Department’s system of hospitals and clinics.
The incident happened at Nuance Communications, a Massachusetts-based company contracted to provide medical transcription services. The information was accessed last year from November 20 to December 9. Notification to patients was delayed at the request of the FBI and the U.S. Department of Justice, pending their criminal investigation into the incident. The investigation determined that a former Nuance employee breached Nuance’s servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department has informed Nuance that it does not appear that any of the information taken was used or sold for any purpose, and that all of the data have been recovered from the former employee.
The information accessed included personal data such as name, date of birth, medical record number, patient number, and information dictated by the provider such as patient condition, assessment, diagnosis, treatment, care plan and date of service.
The incident did not include information such as Social Security number, Driver’s License number or financial account numbers.
“The San Francisco Department of Public Health is committed to maintain the privacy of our patients and takes its responsibility to address privacy incidents seriously,” said Roland Pickens, Director of the San Francisco Health Network. “We sincerely apologize for any inconvenience or concern that this situation may cause. All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process.”
The San Francisco Health Network has sent a letter to all the affected patients, who were seen at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital. The Health Department also has notified the California Department of Public Health and the California Attorney General.
San Francisco Health Network patients with questions can contact the Health Department’s Privacy Office toll free at (855) 729-6040 and reference “Nuance” or #2017-122 in the message.