Stanford University Hospital said it is investigating a data breach reportedly involving records of 20,000 patients seen in the emergency room between March and August of 2009.
The patients' names, diagnosis codes and billing amounts -- but not Social Security numbers or credit card information -- were posted on a public website for nearly a year before being removed Aug. 22.
In a letter to the patients, Stanford apologized and offered free identity-protection services.
The Stanford breach was one of many such incidents in recent years as federal regulation of medical data security has stiffened and institutions work to ramp up their practices, an industry expert said.
In the 21-month period ending in June, hospitals and insurers reported 306 incidents involving 11.6 million medical records, according to Bryan Cline, vice-president of the HITRUST Alliance. HITRUST is a Texas-based industry consortium that has established a "common security framework" for health information.
Federal law requires public reporting within 90 days of breaches involving more than 500 individuals. Smaller breaches must be reported to the Secretary of Health and Human Services.
"The drive to improve (medical data) security is catching up with financial institutions, but it's a cost issue," he said.
"The health care industry is like an aircraft carrier. Even when you want to turn it around it takes a long time."
Much of the compromised data involved third parties, as in the Stanford case, Cline said.
The compromised data file was created by a subcontractor of an outside vendor, Multi Specialties Collection Service, Stanford said in a statement.
The hospital said it has suspended work with the vendor and is investigating how the data came to be posted on the web.
Multi Specialties Collection Services is conducting its own investigation into how its contractor caused the information to be posted, Stanford said.
Cline calculated that the size of the Stanford breach falls roughly at the median. In an analysis of publicly reported data, he said he counted 22 cases involving more than 50,000 patients, 16 involving more than 100,000 and three involving more than 1 million.