UCSF Data Breach Raises Concerns About Hospital Use of Patient Data
Medical information for more than 6,000 patients at UC-San Francisco Medical Center was posted on the Internet for more than three months in 2007, and UCSF did not alert the patients until almost six months after the privacy breach was discovered, the San Francisco Chronicle reports.
The breach was discovered on Oct. 9, 2007, but the medical facility did not begin notifying the 6,313 patients until April 4. In January, California began requiring health providers to alert patients if their medical information is breached.
Disclosed information included patients' names, addresses and the names of the medical departments where they received care. Some patient medical record numbers and their physician names also were exposed online.
Since 2004, UCSF said it has provided the names and addresses of 30,590 patients to Target America in part to mine the information for potential or future financial donors.
Corinna Kaarlela, UCSF's director of news services, said the firm also helped identify people with ties to "relevant community programs and health care biomedical organizations."
Ten days after UCSF was notified of the breach from a patient, the facility ended its business agreement with Target America.
UCSF said it required Target America to hire "an objective third-party firm" to investigate the data breach.
Hospital officials said there is not any indication of identity theft at this time.
Pam Dixon -- executive director of the World Privacy Forum, a not-for-profit public research and consumer education group -- said, "This is a large and very significant breach ... all you need is a patient's name, address and the name of the hospital" to commit medical identity theft.
Arthur Caplan, chair of the department of medical ethics at the University of Pennsylvania School of Medicine, said, "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons -- for fundraising, marketing, advertising" (Fernandez, San Francisco Chronicle, 5/2).