UCSF alerts patients about a security breach

From the UCSF Press Office:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information. There is no indication that any patient files were accessed. However, UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers. The computer was immediately removed from the network to prevent further access. UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised. The investigation was completed this month.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual. Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis. UCSF is notifying these health care providers to coordinate communication with their patients. UCSF has established a special phone line (415) 353-7427 and a special email address [email protected] to answer questions from patients who receive the notification letters.

[…]

About the author: Dissent