A security breach may have exposed patients at a California university hospital to medical identity theft, an expert on privacy issues says.

Personal information on more than 6,000 patients at the University of California-San Francisco was accessible online for three months last year, the San Francisco Chronicle reported Friday. The information included names, addresses, medical departments and some patient medical record numbers, the newspaper said.

The problem was discovered in October but patients were not notified until early last month.

"This is a large and very significant data breach," Pam Dixon, executive director of the World Privacy Forum, told the newspaper.

The medical center had given patient information to Target America, which searches electronic databases for information about a non-profit's potential or existing donors.

Corinna Kaarlela, the university's director of news services, said the school ended its business agreement with Target America after the breach was discovered.

The university said Social Security numbers were not exposed and there had been no reports of medical identity theft, the newspaper said. (c) UPI