[Dataloss] UCSF waited six months before telling 6, 313 patients of data breach

[rchick]

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/01/MNKE10DRGN.DTL&tsp=1
May 1, 2008

San Francisco -- Information on thousands of UCSF patients was
accessible on the Internet for more than three months last year, a
possible violation of federal privacy regulations that might have
exposed the patients to medical-identity theft, The Chronicle has
learned.

The information accessible online included names and addresses of
patients along with names of the departments where medical care was
provided. Some patient medical record numbers and the names of the
patients' physicians also was available online.

The breach was discovered Oct. 9, but the medical institution did not
send out notification letters to the 6,313 affected patients until
early April, nearly six months later.

The consequences of health care data breaches can be significant, said
experts. Sensitive information can be used by employers, health
insurers and other entities to discriminate. Additionally, thieves can
use purloined information to obtain medical treatment and prescription
drugs and to file false medical claims.

"This is a large and very significant data breach," said Pam Dixon,
executive director of the World Privacy Forum, a nonprofit public
interest research and consumer education group. "To commit medical
identity theft, all you need is a patient's name, address and the name
of the hospital. If you have a doctor's name and the medical
department where the patient was being treated, it is gold. If you add
a medical record number, it is a disaster for patients."

[...]