Personal data for more than 6,000 UCSF patients was exposed online for more than three months last year, according to the San Francisco Chronicle.
The news is troubling on multiple levels. First off, it poses the risk that sensitive health information could be used against those patients by employers, health insurers, and others. It also could have allowed fraudsters to use the data to commit medical identity theft and get medical treatment and drugs without paying.
Also, while it's unclear exactly how the data breach happened, it's fairly clear that it arose after the hospital shared the data with a third party, Target America, hired to go through the patient database and find people to solicit donations from.
And finally, it took the hospital nearly six months to notify the 6,313 affected patients about the privacy invasion.
"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons--for fundraising, marketing, advertising," Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine, told the newspaper.