Stanford Hospital probes medical data breach

Names, diagnosis codes of up to 20,000 emergency-room patients posted on Web

Stanford University Hospital said it is investigating a data breach reportedly involving records of 20,000 patients seen in the emergency room between March and August of 2009.

The patients' names, diagnosis codes and billing amounts -- but not Social Security numbers or credit card information -- were posted on a public website for nearly a year before being removed Aug. 22.

In a letter to the patients, Stanford apologized and offered free identity-protection services.

The Stanford breach was one of many such incidents in recent years as federal regulation of medical data security has stiffened and institutions work to ramp up their practices, an industry expert said.

In the 21-month period ending in June, hospitals and insurers reported 306 incidents involving 11.6 million medical records, according to Bryan Cline, vice-president of the HITRUST Alliance. HITRUST is a Texas-based industry consortium that has established a "common security framework" for health information.

Federal law requires public reporting within 90 days of breaches involving more than 500 individuals. Smaller breaches must be reported to the Secretary of Health and Human Services.

"The drive to improve (medical data) security is catching up with financial institutions, but it's a cost issue," he said.

"The health care industry is like an aircraft carrier. Even when you want to turn it around it takes a long time."

Much of the compromised data involved third parties, as in the Stanford case, Cline said.

The compromised data file was created by a subcontractor of an outside vendor, Multi Specialties Collection Service, Stanford said in a statement.

The hospital said it has suspended work with the vendor and is investigating how the data came to be posted on the web.

Multi Specialties Collection Services is conducting its own investigation into how its contractor caused the information to be posted, Stanford said.

Cline calculated that the size of the Stanford breach falls roughly at the median. In an analysis of publicly reported data, he said he counted 22 cases involving more than 50,000 patients, 16 involving more than 100,000 and three involving more than 1 million.

Chris Kenrick


There are no comments yet. Please share yours below.

Post a comment

Posting an item on Town Square is simple and requires no registration. Just complete this form and hit "submit" and your topic will appear online. Please be respectful and truthful in your postings so Town Square will continue to be a thoughtful gathering place for sharing community information and opinion. All postings are subject to our TERMS OF USE, and may be deleted if deemed inappropriate by our staff.

We prefer that you use your real name, but you may use any "member" name you wish.

Name: *

Select your neighborhood or school community: * Not sure?

Choose a category: *

Since this is the first comment on this story a new topic will also be started in Town Square! Please choose a category that best describes this story.

Comment: *

Verification code: *
Enter the verification code exactly as shown, using capital and lowercase letters, in the multi-colored box.

*Required Fields

Food Party! 420
By Laura Stec | 5 comments | 1,280 views

What Are Your Gifts that Must Be Shared?
By Chandrama Anderson | 1 comment | 454 views


Readers' Choice ballot is here

It’s time to decide what local business is worthy of the title “Almanac Readers' Choice” — and you get to decide! Cast your ballot online. Voting ends May 29th. Stay tuned for the results in the July 19th issue of The Almanac.