Attacks/Breaches
9/9/2011
11:30 AM
Connect Directly
RSS
E-Mail
50%
50%

Stanford Hospital Breach Exposes 20,000 ER Records

Spreadsheet uploaded to homework-help website exposed sensitive patient data for almost a year.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Stanford Hospital & Clinics is investigating a privacy breach that left records on 20,000 emergency room visitors exposed online for a year.

The records appeared in a spreadsheet uploaded to Student of Fortune, a homework-help website, on Sept. 9, 2010. The spreadsheet was attached to a question about how the data could be converted into a bar graph. While the exposed records didn't include social security numbers, they did include names and diagnosis codes, admission and discharge dates, and account numbers.

The hospital said Thursday it first learned of the data breach after a patient alerted it on Aug. 22, 2011. Four days later, the hospital notified affected patients in a letter written by the hospital's chief compliance and privacy officer, Diane Meyer. Under federal stimulus funding laws, healthcare organizations are required to publicly disclose data breaches in a timely manner.

After discovering the breach, "a full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information," according to a statement released by the hospital. It said it also immediately notified state and federal authorities about the breach.

The hospital said it traced the spreadsheet to a report generated by a subcontractor of one of its vendors, Multi-Specialty Collection Services, which is a subsidiary of Texican, a healthcare facility management vendor (although the Texican LinkedIn profile now resolves to the website of a company known as LuxSci). The hospital said it had severed its relationship with the vendor.

"It is clearly disturbing when this information gets public," hospital spokesman Gary Migdol told The New York Times. "It is our intent 100% of the time to keep this information confidential and private, and we work hard every day to ensure that."

According to Chester Wisniewski, a senior security advisor at Sophos Canada, healthcare organizations that outsource work to third parties typically require their business partners to keep the information secure. But many never verify whether this is being done. "Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?" he said in a blog post.

While Student of Fortune said that it's been unable to identify the owner of the account used to upload the spreadsheet. But even if that person does get identified, perhaps this breach should be treated as more of a learning experience. "Rather than track down the person who made the mistake, imposing multi-million dollar fines, and saying it won't happen to us, let us learn from their mistakes," said Wisniewski. "That starts by knowing what to protect, and then making sure it stays protected. Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data."

This Stanford Hospital data breach aside, most data breaches typically go unreported. Part of the problem, according to Ponemon Institute, is the country's patchwork of data breach, including differing notification requirements in 49 states. Furthermore, different types of data--such as financial data or health information--is regulated by different laws and government agencies.

But according to a data breach report released on Thursday by the Digital Forensics Association, which reviewed data breaches from 2005 to 2010, the number of health industry data breaches disclosed has increased markedly since the Health Information Technology for Economic and Clinical Health Act (HITECH Act)--meant to strengthen privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA)--was passed in Nov. 2009. Notably, the HITECH Act requires healthcare organizations to disclose breaches involving unencrypted personal health information, when those breaches affect at least 500 people in one state. The Department of Health and Human Services is now maintaining a database to track such breaches.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.