UCSF Delays Data Breach Notification For 6 Months
May 6, 2008 – 9:58 pm
by Doug Pollack
Earlier this week, the San Francisco Chronicle reported that the personal information of over 6,000 UCSF patients had been been exposed on the Internet for over three months last year. This situation has caused these individuals to be vulnerable to potential medical identity theft. The data breach was discovered in October of last year although UCSF did not notify these individuals until early April of this year, over 6 months later.
As it is reported, the data breach itself was caused by a vendor that UCSF works with in order to help them in identifying potential donors for financial contributions.
“UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit’s potential or existing donors….the breach was discovered, said UCSF officials, when the hospital was alerted that a patient’s name had been queried on the Internet “and it was listed in association with UCSF.”
The delay in notifying individuals that their personal information has been exposed in a data breach can be very damaging to the reputation of an organization. A recently published study the Ponemon Institute titled “Consumers’ Report Card on Data Breach Notification” notes the implications on such individuals that have been involved in a data breach.
A key conclusion from this report is that timeliness in notifying individuals that they are victims of a data breach is critical to maintaining goodwill and an on-going customer relationship.
“More than 55% of respondents state that the notification about the data breach occurred more than one month after the incident, and more than 50% of respondents rated the timeliness, clarity, and quality of the notification as either fair or poor.”
Based on these types of inadequate notification practices, organizations tend on average to have around a third of their customers terminate their business relationship as noted in the conclusions of this Ponemon report.
