According to the San Francisco Public Health Department, nearly 900 patients at two San Francisco hospitals had their personal information breached. On Friday, the Department stated that the breach occurred at San Francisco General and Laguna Honda hospitals when a former employee of one of the hospitals’ vendors gained unauthorized accessed the patient data. An article on San Francisco Chronicle takes a closer look at the breach and what caused it.
The individual that accessed the data was a former employee of a medical transcription service the hospitals contract with, Nuance Communications in Massachusetts. The San Francisco Public Health Department will be continuing their contract with the company, who has since strengthened their cybersecurity practices. Nuance has also been cooperating with law enforcement during the investigation of the breach, which has revealed this individual had accessed similar patient information from other clients.
While the breached data did not include Social Security numbers, driver’s license numbers or financial account information, it did contain a great deal of patients’ personal information. Officials running the health network that the two hospitals fall under revealed that the accessed data included patients’ names, dates of birth, medical record numbers and specifics on their medical conditions including their diagnoses, treatments and care plans. The access of the 895 patients’ data occurred between Nov. 20 and Dec. 9. All patients who had their personal information accessed during this breach have been notified of the incident, according to officials.
In an investigation of the incident, The U.S. Department of Justice determined that the patient information did not appear to be used or sold. In addition, the data that was stolen in the incident has since been recovered from the former Nuance employee.
We sincerely apologize for any inconvenience or concern that this situation may cause,” Roland Pickens, director of the San Francisco Health Network, said in a statement. “All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process.”