Data breach in San Francisco exposes personal information of nearly 900 patients

Nearly 900 patients at two city-run hospitals in San Francisco are being notified that their personal information was exposed in a data breach late last year at a prominent healthcare IT contractor. The breach occurred last December when a former employee of Nuance Communications, a Massachusetts firm that specializes in speech recognition, obtained access to tens of thousands of records created by Nuance’s medical-transcription software.

The San Francisco Department of Public Health began informing its 895 affected patients of the breach last week. Although the breach took place between last Nov. 20 and Dec. 9, the department held off on notifying victims at the behest of federal investigators. In its letter to affected patients, the department writes that individuals’ addresses, Social Security numbers and bank account numbers were left untouched. The breach included names, dates of birth, medical conditions and treatment plans, according to a department press release.

Nuance disclosed the breach last week in a quarterly filing with the Securities and Exchange Commission, stating that it shut down the transcription platform as soon as the breach was detected. But the former employee responsible for the incident accessed far more than just the San Francisco patients’ files. In total, Nuance said as many as 45,000 patient records connected to the transcription software were caught up in the data breach.

The San Francisco residents whose information was accessed were patients at Zuckerberg San Francisco General and Laguna Honda hospitals, both of which are relied upon by the city’s low-income population. About 80 percent of the patient population at Zuckerberg receives either Medicare or Medicaid assistance.

According to Nuance’s SEC filing, the affected records were recovered. The San Francisco Department of Public Health says the U.S, Justice Department informed it the breach was contained without any of the accessed data being used or sold for any purpose. The full sweep of the data breach includes numerous Nuance clients, though San Francisco is the only one that has been identified so far.