While the issues raised are in the context of the HCL agreement, the concerns can be applied to almost any offshore contract by any outsourcing firm.
Generally, IT security experts say that the data risks are as great in the U.S. as they are overseas. "If data is connected to the Internet it is already accessible by anyone, anywhere in the world," said Jim Christy, VP of investigations and digital forensics at security firm Cymmetria.
Laws and protections vary, and the UCSF letter to Feinstein points out the U.S. government's own concerns about India detailed in the U.S. Trade Representative's annual report on intellectual property protections.
Some IT security experts saw merit in the argument that the university should alert researchers, in particular, about where the data will be accessed from.
Nathan Wenzler, principal security architect at AsTech Consulting, said researchers should be informed about security -- "that should happen regardless." Researchers should know how the university is protecting and storing data, he said.
What is clear is that the data the UCSF has in its care is sensitive.
Electronic health records sell at a premium in the criminal world when compared to a consumer's social security number or credit card, said Darren Hayes, an assistant professor and director of cybersecurity at Pace University's Seidenberg School of Computer Science and Information Systems in New York. When hospitals admit star athletes, for instance, they may see a spike in hacking efforts. "It's very, very valuable" information, he said.
Sign up for CIO Asia eNewsletters.