SAN FRANCISCO – Over 600 patients at the University of California, San Francisco are being notified of a possible data breach that occurred when a hacker obtained e-mails containing their personal information.

UCSF officials say the breach occurred in late September 2009 when a faculty physician in the School of Medicine fell prey to a phishing scam. According to officials, the physician unknowingly provided the user name and password for his/her e-mail account in response to an e-mail message that appeared to come from the university's internal computer servers.

UCSF Enterprise Information Security officials identified the security breach and disabled the compromised password. After conducting a complete audit of the incident, the university determined that e-mails in the physician's account - including those containing demographic and clinical information (and, in the case of four individuals, Social Security numbers) - may have been exposed.

According to the Anti-Phishing Working Group, an industry association focused on eliminating identity theft and fraud that result from phishing and email spoofing,  there has recently been a national string of similar phishing scams directed to financial institutions, large companies and universities.

UCSF is advising patients to: review the "explanation of benefits" sent by their health insurer, look for payments they do not recognize, and (3) report any unusual payments found to their insurer or provider.

"UCSF is committed to maintaining the privacy of personal information and takes precautions to maintain the integrity and security of that information," said university officials. "In response to incidents such as this, UCSF is continually modifying its systems and practices to enhance the security of sensitive information. In this case, UCSF has provided re-education to workforce members to ensure that they protect their user IDs and passwords."