Major medical privacy breach at Stanford Hospital

A breach of privacy has resulted in the names and diagnosis codes of over 20,000 people being posted online. The victims of the breach are patients at the Stanford Hospital in Palo Alto, California. Shockingly, the information remained online for nearly a year.

SAN FRANCISCO, CA (Catholic Online) - The hospital has been investigating the breach and trying to discern how a spreadsheet from one of its vendors, a billing contractor, ended up on the website, "Student of Fortune." The vendor was identified as Multi-Specialty Collection Services, a billing agency used by the hospital. Student of Fortune allows students to solicit paid help for their homework. 

DON'T TAKE CHANCES WITH YOUR PRIVACY Secure your medical information with MyPHRchart

A Stanford Hospital spokesman said the information appeared on the web site with a request to turn the data into a bar graph. The hospital also made clear that the breach was not the fault of the hospital or one of its employees.

The spreadsheet included names, diagnosis codes, account numbers, admission and dischagre dates, as well as billing data for patients who came to Stanford Hospital during a six-month period in 2009. The hospital emphasized that social security numbers, birth dates, and credit card numbers were not part of the leak. Despite that claim, the hospital is offering free identity theft protection services to affected patients. 

Officials noted that medical privacy breaches are common, but that the size of this case and the amount of time the information remained exposed makes this one exceptional. The breaches are common because of the number of vendors who share the data outside of the institutions.

According to a letter sent to affected patients, the breach itself was discovered by a patient and was reported to the hospital on August 22. Stanford Hospital also said the post was immediately removed by the web site at their request and that they promptly notified the authorities.
Government regulations require that security breaches be publicly reported. Those involved are typically fined. In California, the fine can range up to $250,000. Government records maintained from 2009 and 2010 say that a combined 11 million people have been victims of medical privacy breeches in those years alone.

Most breaches are the result of negligence or malice. Computers such as laptops are occasionally stolen with sensitive medical information on them. At other times, information has been left unencrypted or even hacked. Misdirected mailings count as privacy breaches too, and occasionally happen. According to government records, one or more of the preceding has occurred in 44 states.

Shocking cases, even those not involving computers or the internet have happened previously. In one instance, a Massachusetts General Hospital employee left a file of paper records on a subway train. The records contained information on 192 patients and included their medical statuses. A third of the patients were HIV positive. The file was never recovered.

The billing company whose spreadsheet appeared on the web, Multi-Specialty Collection Services, has still not commented on the incident. There is no word if legal action will be taken, or against whom, as the matter is still under investigation.

---

'Help Give every Student and Teacher FREE resources for a world-class Moral Catholic Education'