Patient Data Posted Online in Major Breach of Privacy
By KEVIN SACK
Published: September 8, 2011
A medical privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed.
Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called “Student of Fortune,” which allows students to solicit paid assistance with their school work. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford incident spotlights the persistent vulnerability posed by legions of outside contractors who gain access to private data.
The spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birthdates, credit-card accounts or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.
The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.
“It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”
Diane Dobson, of Santa Clara, Calif., said her “jaw dropped” on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked online to a diagnosis for psychosis.
“My son, I can tell you, is fragile and confused enough that this would have sent him over the edge,” Ms. Dobson said. “Everyone with an electronic medical record is at risk, and that means everyone.”
The incident at Stanford, while egregious in its details, is far from rare. Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people has been improperly exposed during the last two years alone.
Since passage of the federal stimulus package, which included provisions requiring prompt public reporting of breaches, the government has received notice of 306 incidents between September 2009 and June 2011 that affected at least 500 people. Four of the breaches involved more than a million people each. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, affecting more than 72,000 people.
The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.
One occurred at Stanford’s Lucile Packard Children’s Hospital in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised.
But California’s Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. State officials contend it took the hospital 19 days to disclose. The hospital contests that timeline and is appealing the fine, a Department of Public Health spokesman said.
The breaches at Stanford reinforce that even the most prestigious medical centers are not immune to risk.
1 2 NEXT PAGE »
AI
