Stanford University’s hospital is admitting that a privacy breach led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year.
The breach was discovered last month. The Palo Alto, Calif., hospital has been investigating how a detailed spreadsheet made its way from a billing contractor identified as Multi-specialty Collection Services to the Student of Fortune Web site, which allows students to solicit paid assistance with their schoolwork.
Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
The released information, which Stanford had not encrypted, also included medical record numbers, hospital account numbers, billing charges and emergency room admission and discharge dates. Credit card and Social Security numbers were not included.
The identity of the person who posted the data in a spreadsheet attached to a file was not disclosed.
Multi-specialty created the spreadsheet as part of a billing-and-payment analysis for Stanford, according to Migdol.
The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to the affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer.
The Stanford incident is especially worrisome because the information was made public, and left public for a long time. Most such breaches involve stolen or lost laptops or computer servers that contain patient data.