Breach Exposes Data on 20,000 Patients From Stanford Hospital’s ED

On Thursday, Stanford Hospital & Clinics confirmed that a medical privacy breach caused data on more than 20,000 of its emergency department patients to be publicly posted to a commercial website for about one year, the New York Times reports (Sack, New York Times, 9/8).

Breach Details

The breach involved the exposure of a detailed spreadsheet that contained unencrypted information on patients seen at Stanford's ED during a six-month period in 2009.

The spreadsheet included such data as:

• Names;
• Diagnosis codes;
• Admission and discharge dates; and
• Billing charges (Krieger, San Jose Mercury News, 9/8).

Gary Migdol, a spokesperson for Stanford Hospital & Clinics, said the spreadsheet did not contain patients' Social Security numbers, credit card information or any other data that could be used to perpetrate identity theft (AP/San Diego Union-Tribune, 9/9).

Although the spreadsheet had been in the possession of a Los Angeles-based billing contractor called Multi-Specialty Collection Services, the document was discovered on a website called Student of Fortune. The website allows students to seek paid help with their schoolwork.

Migdol said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about converting data into a bar graph.

A patient discovered the spreadsheet nearly a year later and reported it to the hospital on Aug. 22.

Stanford Response

Diane Meyer, Stanford Hospital's chief privacy officer, sent a letter to affected patients noting that the hospital took "aggressive steps" to respond to the breach. She wrote that the website removed the spreadsheet one day after being contacted by the hospital.

According to Migdol, Stanford has suspended its relationship with Multi-Specialty Collection Services and has received written certification that earlier data files stored by the contractor would be destroyed or returned securely.

Migdol said state and federal agencies have been notified of the breach, adding that HHS likely will conduct its own investigation. He said the hospital has determined that "there is no employee from Stanford Hospital who has done anything impermissible" (New York Times, 9/8).

The hospital is offering no-cost identity theft protection services to affected patients (San Jose Mercury News, 9/8).

Response From Website Operator

Tina Warner -- vice president of communications at Chegg, which bought the Student of Fortune website in August -- said company leaders were unaware that the spreadsheet was on the site until Stanford contacted them.

Warner said the company immediately removed the spreadsheet, but was unable to determine the identity of the user who had posted the document (New York Times, 9/8).