The University of California’s non-profit medical center accidentally exposed 6,000 patient records as part of their continuing effort to hunt for prospective donors. The “large and very significant data breach” was caused by UCSF’s data miner, Target America, which received details on almost 40,000 patients.
Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
Hospital officials said it contracted with the company to assist “with identifying names of individuals who could potentially receive communications from UCSF.”
“Identification of potential donors who were active in the philanthropic community was one objective, along with identifying individuals who had corporate relationships, such as board service, or were affiliated with relevant community programs and health care biomedical organizations,” Kaarlela said.
After the breach was discovered, the hospital said it required Target America to hire “an objective third-party firm” to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year “if a query for a specific name was made.” Notification letters were mailed to patients April 4.
To Dixon, the expert on medical identity, the disclosure lag was far too long.
“In Internet years, that’s a century,” she said.
In January, California began requiring health care providers to alert consumers if their medical information is breached. Swift notification is considered important so consumers can monitor credit reports and bills.
According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given “in the most expedient time possible, without unreasonable delay.”
“It’s a judgment call, the how and the when part,” McNabb said. “The idea is to give early warning so that people can take defensive action. On the other hand, you don’t want to needlessly worry people.”
It’s not the worst case of lost records we’ve seen, but mining for donors seems so much worse than “whoops, lost another laptop!” At least people’s social security numbers weren’t included with the data. People who think their identity may have been stolen should pour themselves a stiff drink before sitting down to read this comprehensive post.