Major Stanford breach openly posts medical info online

A privacy breach of limited medical information caused certain patients’ information from the emergency department of the Stanford Hospital & Clinics to be posted on a website.

The patients’ information was created by an outside vendor’s sub-contractor and was available on the website between March 1 and Aug. 31, 2009, according to a statement from the Palo Alto, Calif.-based hospital. The New York Times reported that the breach could affect up to 20,000 emergency room patients.

“The hospital discovered this on August 22, 2011, and immediately took action to ensure removal of the file from the website, which was done within 24 hours,” the statement read. A full investigation was launched, and Stanford Hospital & Clinics has been working with the vendor to determine how this incident occurred.

The vendor, Multi Specialties Collection Services, is also conducting an investigation into how its contractor caused patient information to be posted to the website. According to the statement, Stanford Hospital may take further action following completion of the investigation.

The information was limited to names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit and billing charges. Information commonly associated with identity theft, such as credit card and social security numbers, was not included.

The hospital notified affected patients and has arranged for free identity protection services, though the data involved are not associated with identity theft.

This incident was not caused by the hospital, and responsibility has been assumed by a contractor working with the vendor, the hospital reiterated.