The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also was available online.
The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.
The consequences of health care data breaches can be significant, said experts. Sensitive information can be used by employers, health insurers and other entities to discriminate. Additionally, thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research and consumer education group. "To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
Hospital officials say there's no indication of identity theft to date.
Identifying potential donors
UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.
Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."
Corinna Kaarlela, UCSF's director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.
Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
The breach spotlights an ongoing, little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.
Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.
"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for non-medical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice." Vast patient list provided
Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
"Identification of potential donors who were active in the philanthropic community was one objective, along with identifying individuals who had corporate relationships, such as board service, or were affiliated with relevant community programs and health/care biomedical organizations," Kaarlela said.
After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report on March 26. It showed "that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.
To Dixon, the expert on medical identity, the disclosure lag was far too long.
"In Internet years, that's a century," she said.
In January, California began requiring health care providers to alert consumers if their medical information has been breached. Swift notification is considered important so consumers can monitor credit reports and bills.
According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given "in the most expedient time possible, without unreasonable delay."
"It's a judgment call, the how and the when part," McNabb said. "The idea is to give early warning so that people can take defensive action. On the other hand, you don't want to needlessly worry people." How patients are at risk
While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.
"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.
Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
A federal privacy regulation known as HIPAA, the Health Insurance Portability and Accountability Act, sets standards to protect personal health information. Health care entities are allowed, for fundraising activities, to release to business associates - without explicit individual authorization - certain demographic information, such as names, addresses and dates of treatment, but not information about health or health care.
"You cannot provide other information for fundraising purposes," said a senior official with the U.S. Department of Health and Human Services' Office for Civil Rights.
In the UCSF breach, the names of patients treated at four care units were released: chest and pulmonary, vascular surgery, pediatric surgery, and pediatric multiple sclerosis.
"It seems they may have released more information than permitted," said Gail Sausser, a HIPAA consultant and adjunct professor of health law at Seattle University's School of Law.
UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
"Steps have been taken to reinforce this practice," Kaarlela said.
For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.
"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.
"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
E-mail Elizabeth Fernandez at efernandez@sfchronicle.com.