UCSF is notifying students, faculty, and staff that their personal information may have been accessed by an unauthorized party due to a possible compromise in security of a computer server. The server did not contain any patient names or patient information.
There is no evidence at this time that any specific information was accessed, according to Randy Lopez, co-chief information officer for the Office of Academic and Administration Information Systems.
As a precautionary measure, the University is contacting about 46,000 individuals to alert them to look for signs of identity theft and advise them of steps to protect personal information. The contact list is comprised of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years.
Data on the server included names, social security numbers, and bank account numbers used for electronic payroll and reimbursement deposits. The server resides in the UC System-wide data center. The incident was identified in late March, and the server was immediately taken off-line.
The University is committed to maintaining the privacy of personal information. UCSF and the University of California Office of the President are conducting an investigation of this incident, including what types of information, if any, were compromised and how computer security can be improved. The Federal Bureau of Investigation has been notified and will be involved in the investigation. Also, UCSF is hiring a company that specializes in electronic security to provide a thorough audit of our security practices, and the findings of that audit will be reported as they become available.