Contractor Leaks 20,000 Patient Records From Stanford Hospital
A data privacy breach at Stanford University's hospital has resulted in medical records for 20,000 emergency room patients being posted on a public Website for nearly a year, according to The New York Times.
A patient notified the hospital of the breach Aug. 22, and the hospital has been investigating how a detailed spreadsheet containing sensitive patient information wound up being posted on a commercial site, The New York Times reported Sept. 8. The compromised information belonged to patients who went to Stanford Hospital's emergency room over a six-month period in 2009.
The records included names, diagnosis codes, account numbers, dates of admission and discharge, and billing charges. Social Security numbers, birth dates, credit card accounts or other information that could potentially result in identity theft was not exposed. Even so, the hospital is offering free identity-protection services to all affected patients.
"It is clearly disturbing when this information gets public," Diane Meyer, Stanford Hospital's chief privacy officer, told the Times, adding, "It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that."
The nature of the incident was "quite strange," but it doesn't appear that it was part of a widespread breach, Mike Paquette, CSO at Corero, told eWEEK.
The spreadsheet originated at one of the hospital's vendors, a billing contractor called Multi-Specialty Collection Services. The spreadsheet appeared on a Website called Student of Fortune, where students pay for assistance with schoolwork. The spreadsheet was part of a question on how to convert the data into a bar graph and appeared Sept. 9, 2010. Student of Fortune removed the post with the spreadsheet immediately after being contacted by Stanford last month.
"It s baffling why anyone would post a spreadsheet with this kind of personal and sensitive information to a public forum looking for advice on how to create a graph," Geoff Webb, director of product marketing at Credant Technologies, told eWEEK.
Stanford Hospital has canceled its contract with Multi-Specialty Collection Services and received a written promise that all hospital-related files would be either destroyed or returned.
Unfortunately, this kind of breach is becoming altogether common as information is shared between partners, customers and contractors to reduce costs and improve services, Webb said. The idea of protected information staying within the network perimeter is "effectively dead," said Webb.