In a major security breach, medical information for 20,000 emergency-room patients at Stanford Hospital in Palo Alto, Calif., was posted online -- and stayed there for almost a year.
The patients' names, account numbers, diagnosis codes, admission and discharge dates, and billing charges were posted on Student of Fortune, a commercial homework help Web site. The information was contained in a detailed spreadsheet, which the site posted on Sept. 9, 2010, to show customers how to create a bar chart from raw data. Stanford Hospital discovered the breach in August, but it was not made public until this week, The New York Times reported on Thursday.
The spreadsheet originated with one of the hospital's billing contractors, Multi-Specialty Collection Services. Hospital officials do not know how the data ended up online, but they are investigating, spokesman Gary Migdol told The New York Times. Security breaches can happen in many ways, from a disgruntled employee stealing data to an outsider hacking into a hospital database.
In this case, Migdol said officials' belief was that there is no employee from Stanford Hospital who has done anything impermissible.
He added that the spreadsheet did not include any information that could be used by identity thieves -- birth dates, Social Security numbers or credit card numbers, for example -- but that the patients listed in the spreadsheet will receive free identity protection services from the hospital nonetheless.
But in some cases, the release of confidential diagnostic information can be just as devastating as the release of Social Security numbers, because of the stigma associated with some illnesses. A patient diagnosed with schizophrenia or AIDS, for example, would not want that broadcasted.
Security breaches are disturbingly common, but it was very unusual that the confidential information stayed online for nearly a year before anyone noticed it. The hospital only found out about the breach when a patient discovered it last month.
Such breaches have increased in frequency as electronic records become the norm. Since 2009, more than 11 million people have had their medical information released, according to ABC News.