Hospital Medical Records Posted Online For a Year

Confidential medical data - including patient names and diagnoses - for 20,000 people seen in Stanford Hospital's emergency room was posted on a public website for nearly a year before hospital officials found out about the security breach.

According to a San Francisco Chronicle report, hospital officials, who learned of the breach last month, said that the information has been removed and that they are investigating the incident.

"Stanford had sent names, diagnosis codes, account numbers, admission dates and charges to an outside vendor, Multi Specialties Collection Services in Los Angeles, which handles billing for the hospital," the article said. "The billing vendor passed the information on to a subcontractor, which created a spreadsheet out of the data. Somehow that spreadsheet was posted on Sept. 9 last year to a website called Student of Fortune, in a section where students pay for homework assistance. The spreadsheet was uploaded as an attachment to a question about making bar graphs."

The spreadsheet remained on the website until Aug. 22, when a patient found it and reported it to Stanford. The spreadsheet was removed within 24 hours and patients were notified of the security breach a few days late.

The posted spreadsheet did not include Social Security numbers, birthdates or any other data that could be used for identity theft, and the information was sent in an attachment and thus would not turn up in an Internet search, yet the hospital is still offering free identity protection services to those whose information was made public, the article said.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.