Stanford University’s hospital in California has confirmed that a medical privacy breach has led to the online posting of electronic medical records of 20,000 emergency rooms patients.
The names and diagnosis code of the patients were posted on a commercial website for nearly a year. The hospital discovered the breach last month and said that the information had been removed from the website.
Investigation of the breach has been going on about how the detailed information of the patient’s names, diagnosis codes, account numbers, admission dates and charges was sent to one of its vendors, Multi-Specialty Collection Services. The information was sent by a students' website called “Student of Fortune,’’ which allows them to seek paid assistance with their school work.
Gary Migdol, a spokesman for Stanford Hospital and Clinics told The New York Times that the spreadsheet first appeared on the site Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
A patient found out that the hospital spreadsheet was posted on the website and it was removed on Aug. 22 after he reported it to Stanford.
The vendor, Multi Specialties Collection Services in Los Angeles, handles billing for the hospital; it created the spreadsheet as part of a billing-and-payment analysis for Stanford, according to Migdol.
The hospital suspended the business with the company after realizing the breach on Aug. 22.
The spreadsheet did not include Social Security numbers, birthdates, or credit-card accounts information that is used to carry out identity theft, he said.
It is clearly disturbing when this information gets public. It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that, he said.
The Stanford incident is worrisome because the information was made public for a long time. Most breaches involve stolen laptops or computer servers that contain patient data, and it's doubtful that medical information is ever accessed or used inappropriately.