California Senate Bill 1386 (SB1386)

Policy Type



UCSF complies with the provisions of California Privacy Legislation, California Senate Bill 1386 (SB1386), requiring notification to California residents regarding any breach to the security of a computing system where there is a reasonable belief that an unauthorized person has acquired their unencrypted personal information.

The data covered by this law is an individual's first name or first initial and last name in combination with any one or more of the following:

  • Social Security number
  • Driver license number or California identification card number
  • Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information (effective January 1, 2008)
  • Health insurance information

On September 30, 2008, Governor Schwarzenegger approved legislation that established specific reporting requirements regarding the unlawful or unauthorized access to, use, or disclosure of patient medical information, and that increased financial penalties for violations. The new requirements and penalties have been added to the California Health and Safety Code and took effect on January 1, 2009. 

University Policy has been updated to address these additions to California Code: Business and Finance Bulletin IS-3, "Electronic Information Security," contains the University policy for notification in cases of information security breaches. Section III.D has been updated to include the new reporting requirement for unlawful or unauthorized access to, use, or disclosure of patient medical information, as well as to ensure more consistent, systemwide incident-response processes. 

Mitigation or notification requirements may differ, depending on the federal or state statues, the nature of the information at risk in the event of a security breach, or contractual agreement. For example:

  • Owners of "computerized data that includes personal information shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
  • Licensed UC clinics and health facilities must report to the California State Department of Public Health and affected patients any unlawful or unauthorized access to, use, or disclosure of their medical information no later than five days after activity has been detected.
  • A breach of confidentiality of electronic Protected Health Information (ePHI) requires mitigation, to the extent practicable of "harmful effects."
  • Business associate agreement may require specific notifications.

The updated bulletin is posted on the Web at or

If you have a concern regarding SB1386 at UCSF please contact the designated individual noted below.

To Report a Breach

To report any information security problems, potential problems or suspected unauthorized access to unencrypted personal information. you may do one of the following:

  • Contact the Designated Individual noted below
  • Contact ITS Customer Support at 514 4100 to report the breach
  • Submit a support ticket online at
    For more information, please read the instructions on our Reporting Incidents page.

Designated Individual

The designated individual for UCSF regarding SB1386 is:

Patrick Phelan
Director, Chief Information Security Officer
[email protected]

University of California, San Francisco
IT Security
Box 0272, 1855 Folsom Street
San Francisco, CA. 94143 – 027