Skip to content Skip to footer
|

Patient Data Posted Online in Major Breach of Privacy

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year. Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.

The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.

The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

“It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”

Diane Dobson, of Santa Clara, Calif., said her “jaw dropped” on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said had received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked to a mental health diagnosis.

“My son, I can tell you, is fragile and confused enough that this would have sent him over the edge,” Ms. Dobson said, saying she decided to speak publicly now because of her frustration with the breach. “Everyone with an electronic medical record is at risk, and that means everyone.”

Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people have been improperly exposed during the past two years alone.

Since passage of the federal stimulus package, which includes provisions requiring prompt public reporting of breaches, the government has received notice of 306 cases from September 2009 to June 2011 that affected at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, affecting more than 72,000 people.

The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

One occurred at the Lucile Packard Children’s Hospital at Stanford in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised.

But the California Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. The hospital appealed the fine, and a settlement has been reached but not yet disclosed, a department spokesman said.

The Stanford episode reinforces the fear that even the most prestigious medical centers are not immune to risk.

Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway while commuting to work. The pages included the names of 192 patients, and diagnoses for about a third of them, including diagnoses for H.I.V./AIDS. They were never recovered.

The Department of Health and Human Services viewed the breach as a potential violation of the Health Insurance Portability and Accountability Act, the 1996 law that requires protection of medical records.

Mr. Migdol, the hospital spokesman, said Stanford had concluded that “there is no employee from Stanford Hospital who has done anything impermissible.” He said he expected the federal Department of Health and Human Services to conduct its own investigation. Susan McAndrew, a deputy director in the department’s Office for Civil Rights, said she could not discuss whether an investigation was in progress.

The vendor, identified by Mr. Migdol as Multi-Specialty Collection Services L.L.C., based in Los Angeles, is described on its Web site as a subsidiary of Texican Inc. Joe Anthony Reyna, who is listed in state and commercial records as Texican’s principal, did not respond to messages left at his office and home.

Mr. Migdol said the company created the spreadsheet as part of a billing-and-payment analysis for the hospital. He said the hospital immediately suspended its relationship with the contractor and received written certification that previous files would be destroyed or returned securely.

Tina Warner, a vice president at Chegg, an online company that bought Student of Fortune in August, said the site’s principals were unaware the data had been posted until informed by the hospital. They then “took it down within 30 seconds,” she said. Ms. Warner said the identity of the person who posted the Stanford data could not be determined from the user name.

Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers, said nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed.

Dr. Cline said health care providers depend unjustifiably on legal contracts with vendors to protect medical records. “That just doesn’t work, as we can see,” he said. “You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”

Truthout Is Preparing to Meet Trump’s Agenda With Resistance at Every Turn

Dear Truthout Community,

If you feel rage, despondency, confusion and deep fear today, you are not alone. We’re feeling it too. We are heartsick. Facing down Trump’s fascist agenda, we are desperately worried about the most vulnerable people among us, including our loved ones and everyone in the Truthout community, and our minds are racing a million miles a minute to try to map out all that needs to be done.

We must give ourselves space to grieve and feel our fear, feel our rage, and keep in the forefront of our mind the stark truth that millions of real human lives are on the line. And simultaneously, we’ve got to get to work, take stock of our resources, and prepare to throw ourselves full force into the movement.

Journalism is a linchpin of that movement. Even as we are reeling, we’re summoning up all the energy we can to face down what’s coming, because we know that one of the sharpest weapons against fascism is publishing the truth.

There are many terrifying planks to the Trump agenda, and we plan to devote ourselves to reporting thoroughly on each one and, crucially, covering the movements resisting them. We also recognize that Trump is a dire threat to journalism itself, and that we must take this seriously from the outset.

After the election, the four of us sat down to have some hard but necessary conversations about Truthout under a Trump presidency. How would we defend our publication from an avalanche of far right lawsuits that seek to bankrupt us? How would we keep our reporters safe if they need to cover outbreaks of political violence, or if they are targeted by authorities? How will we urgently produce the practical analysis, tools and movement coverage that you need right now — breaking through our normal routines to meet a terrifying moment in ways that best serve you?

It will be a tough, scary four years to produce social justice-driven journalism. We need to deliver news, strategy, liberatory ideas, tools and movement-sparking solutions with a force that we never have had to before. And at the same time, we desperately need to protect our ability to do so.

We know this is such a painful moment and donations may understandably be the last thing on your mind. But we must ask for your support, which is needed in a new and urgent way.

We promise we will kick into an even higher gear to give you truthful news that cuts against the disinformation and vitriol and hate and violence. We promise to publish analyses that will serve the needs of the movements we all rely on to survive the next four years, and even build for the future. We promise to be responsive, to recognize you as members of our community with a vital stake and voice in this work.

Please dig deep if you can, but a donation of any amount will be a truly meaningful and tangible action in this cataclysmic historical moment.

We’re with you. Let’s do all we can to move forward together.

With love, rage, and solidarity,

Maya, Negin, Saima, and Ziggy