(AP) — Stanford Hospital in California is blaming a subcontractor used by an outside vendor for a privacy breach that led to the online posting of medical information for thousands of emergency room patients. The breach was first reported Friday by the New York Times. The data of 20,000 patients, including names and diagnosis codes, remained on a commercial website for nearly a year until it was discovered last month and taken down, according to the newspaper.
In a statement, Stanford Hospital said the file that contained the patient information was created by a subcontractor employed by one of its vendors, Multi Specialties Collection Services. The hospital did not name the subcontractor, but it said Multi Specialties Collection Services is investigating how the company caused patient information to be posted to the website. Stanford said that in the meantime, it has suspended working with Multi Specialties Collection Services.
"This incident was not caused by the hospital, and responsibility has been assumed by a contractor working with the vendor," the hospital said in its statement. Breaches of medical data are common, though most typically involve lost or stolen computers or storage devices. Roughly one-fifth of the publicly disclosed breaches in the last seven years have involved healthcare providers, according to a database kept by the Privacy Rights Clearinghouse.
The digitization of medical data is creating new problems, as the information travels more easily among the dozens of contractors that are typically authorized to handle a person's medical records and is more easily lost or accidentally posted online. In the Stanford case, the data ended up on a homework-help website called Student of Fortune, according to the New York Times. Someone needing help converting data into a bar graph posted a spreadsheet along with the sensitive information, Gary Migdol, a spokesman for the hospital, told the Times. The spreadsheet first appeared there a year ago Friday, Migdol said.
The privacy breach did not involve any hacking, and data weren't on Stanford's or the collection agency's website, but on Student of Fortune's. The information included medical record numbers, hospital account numbers, emergency room admission and discharge dates and billing charges, according to the hospital. It did not contain credit card or Social Security numbers, information commonly associated with identity theft.
The affected patients were seen by the hospital's emergency department between March 1, 2009, and Aug. 31, 2009. "The hospital notified affected patients quickly and also arranged for free identity protection services, though the data involved is not associated with identity theft," the hospital said in its statement. Migdol told the Times that he expected the federal Department of Health and Human Services to conduct its own investigation.