The University of California San Francisco has notified approximately 600 individuals that a hacker may have accessed their protected health information.

A physician in the UCSF School of Medicine in late September fell victim to a phishing scam and gave the user name and password for his e-mail account. The university's information security unit identified the breach and disabled the compromised password. By Oct. 16, an investigation determined that e-mails in the physician's account, which included those containing demographic and clinical information and four Social Security numbers, potentially might have been exposed, according to the university.

Notifications of affected individuals occurred between Oct. 21 and Dec. 11 as the investigation continued, the university told the San Francisco Business Times. The university advised affected individuals to review insurance explanation of benefit documents and look for payments they do not recognize, and report any unusual payments to their insurer or provider. The university also has re-educated personnel on how to protect user IDs and passwords.

New federal rules mandated under the American Recovery and Reinvestment Act requiring "timely" notification of certain breaches of health information. The rules now are effective and have a compliance deadline of Feb. 22, 2010.

--Joseph Goedert

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access