UCSF privacy practices to protect patient information

By Corinna Kaarlela

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF contracted with a vendor, Target America, to assist with identifying targeted communication opportunities about University activities. These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University. 

On October 9, 2007, UCSF was alerted that some of the information given to this vendor was accessible via the Internet. The information included patient names, addresses, and the name of the department where patient care was provided. In some cases, the name of the patient’s physician and a medical record number were also provided. No Social Security numbers or any other health information was accessible via the Internet. 

Upon identification of this privacy breach, UCSF took immediate steps to ensure that the vendor closed the access to this database and that UCSF information was sequestered from any access, and UCSF requested that the vendor work with the Internet providers to remove the information from its Internet services. UCSF also required that Target America hire an objective third party firm to conduct a forensic analysis of the event to determine the length of time the information was vulnerable and the specific files that were potentially accessible via the Internet from Target America’s systems. UCSF terminated its business agreement with Target America on October 19, 2007, due to the way this situation was handled, which was not consistent with the agreement. All UCSF information was returned from Target America to UCSF. 

UCSF received the third party’s forensic analysis report on March 26, 2008. Notification letters to patients were finalized on April 3, 2008, and mailed the next day. Patients with further questions should call (415) 514-0508.

UCSF continually modifies systems and practices to enhance the security of patient information.