University Of California Hospital Publicizes 6,000 Patient Records While Mining For Prospective Donors

The University of California’s non-profit medical center accidentally exposed 6,000 patient records as part of their continuing effort to hunt for prospective donors. The “large and very significant data breach” was caused by UCSF’s data miner, Target America, which received details on almost 40,000 patients.

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist “with identifying names of individuals who could potentially receive communications from UCSF.”

“Identification of potential donors who were active in the philanthropic community was one objective, along with identifying individuals who had corporate relationships, such as board service, or were affiliated with relevant community programs and health care biomedical organizations,” Kaarlela said.

After the breach was discovered, the hospital said it required Target America to hire “an objective third-party firm” to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year “if a query for a specific name was made.” Notification letters were mailed to patients April 4.

To Dixon, the expert on medical identity, the disclosure lag was far too long.

“In Internet years, that’s a century,” she said.

In January, California began requiring health care providers to alert consumers if their medical information is breached. Swift notification is considered important so consumers can monitor credit reports and bills.

According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given “in the most expedient time possible, without unreasonable delay.”

“It’s a judgment call, the how and the when part,” McNabb said. “The idea is to give early warning so that people can take defensive action. On the other hand, you don’t want to needlessly worry people.”

It’s not the worst case of lost records we’ve seen, but mining for donors seems so much worse than “whoops, lost another laptop!” At least people’s social security numbers weren’t included with the data. People who think their identity may have been stolen should pour themselves a stiff drink before sitting down to read this comprehensive post.

6,000 UCSF patients’ data got put online [San Francisco Chronicle] (Thanks to Paul!)
(Photo: Getty)


Edit Your Comment

  1. thirdbase says:

    They should provide free cardiac arrest treatment for these 6000 people when they get their credit card statements

  2. Trai_Dep says:

    It’s sad that the California GOP is starving the UC system – previously a national model for excellence – to the point that they need to scurry about for funds to educate their own populace. If professional schools are being razed in such a fashion, imagine the damage at the non-professional, undergraduate and community college levels.
    Republicans hate your children and our future, people.

    But yeah, UCSF should have been more on the ball.

  3. ConsumptionJunkie says:

    Hospital Cat Sez…

    i’m in yur records
    raizin’ yur rates

  4. matto says:

    Oh UC, will you ever learn?

  5. ByeBye says:

    Man, I don’t know about anyone else, but this would piss me off.

  6. Is this a veterinary hospital? Otherwise the photo doesn’t work: an attractive female grabbing her pu-you know what, maybe I shouldn’t finish that description.

  7. timmus says:

    Guess this is what happens when you outsource to a company that borrows the name of a department store.

  8. @timmus: I didn’t even look at contractor’s name till I saw your comment. “Target America”?! Doesn’t that sound a little scary? It sounds like either a propaganda film produced by the USSR or an al-Queda project. I wonder if the FBI and/or CIA found this name particularly interesting…

  9. howie_in_az says:

    So now Target America has data on some 30,000 people that TA can use to market other items for other customers unrelated to the hospital?

    I’m in the wrong line of work.

  10. tinycorkscrew says:


    Target America already had the data on the 30,000 people. That’s why UCSF was contracting with them.

  11. scoosdad says:

    I never understood why hospitals would assume that former patients would be a good source for charitable contributions. It’s not like they gave us a good deal on our medical procedures or did us any special favors. They provided a service, billed us, and we (or our insurers) paid for it.

    My mom for a long time got regular contribution solicitations from the hospital where my dad ended up on the night that he passed away.

  12. dweebster says:

    @tinycorkscrew: Good to know that America is being Targeted. Apparently this company is living up to their name proudly.

  13. tinycorkscrew says:


    There are lots of companies that do wealth screening for non-profits:

    Blackbaud, WealthEngine, Kintera, Lexis-Nexis for Development Professionals, etc.

    Pretty much every non-profit with a development office uses a wealth screening service.

    Most of the data these screening companies provide comes from public records – county assessors, SEC documents, 990’s, etc.

    The problem here isn’t the data that Target America has collected; the problem is the inadvertent disclosure of patients’ medical information.

  14. ChuckECheese says:

    From the rest of the year, Citibank pledges to donate 5% of all funds fraudulently taken from your accounts to the UCSF.

  15. orielbean says:

    The picture w/ the cat is priceless. She’s shaking down Fluffy for pocket change.

  16. revmatty says:

    Note that different schools get different funding. Berkeley does just fine (to be fair, they also get significant alumni donations as well as having income streams from sports and leasing out concert halls, technology licensing, etc etc). UCSF is one of the ‘lesser’ UC schools and thus gets less money.