The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information. There is no indication that any patient files were accessed. However, UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.
During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers. The computer was immediately removed from the network to prevent further access. UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised. The investigation was completed this month.
During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual. Installation of this program required high-level system access, which is why the incident is considered a security breach.
This computer contained files with lists of patients from the UCSF pathology department.s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.
The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis. UCSF is notifying these health care providers to coordinate communication with their patients. UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.
The security of protected health information at UCSF is of utmost importance, especially in the Internet age. The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach. However, this event and others nationwide have caused UCSF to redouble its efforts in this area.
UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data. This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.
Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies. He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.