11:30 AM
Connect Directly

Stanford Hospital Breach Exposes 20,000 ER Records

Spreadsheet uploaded to homework-help website exposed sensitive patient data for almost a year.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Stanford Hospital & Clinics is investigating a privacy breach that left records on 20,000 emergency room visitors exposed online for a year.

The records appeared in a spreadsheet uploaded to Student of Fortune, a homework-help website, on Sept. 9, 2010. The spreadsheet was attached to a question about how the data could be converted into a bar graph. While the exposed records didn't include social security numbers, they did include names and diagnosis codes, admission and discharge dates, and account numbers.

The hospital said Thursday it first learned of the data breach after a patient alerted it on Aug. 22, 2011. Four days later, the hospital notified affected patients in a letter written by the hospital's chief compliance and privacy officer, Diane Meyer. Under federal stimulus funding laws, healthcare organizations are required to publicly disclose data breaches in a timely manner.

After discovering the breach, "a full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information," according to a statement released by the hospital. It said it also immediately notified state and federal authorities about the breach.

The hospital said it traced the spreadsheet to a report generated by a subcontractor of one of its vendors, Multi-Specialty Collection Services, which is a subsidiary of Texican, a healthcare facility management vendor (although the Texican LinkedIn profile now resolves to the website of a company known as LuxSci). The hospital said it had severed its relationship with the vendor.

"It is clearly disturbing when this information gets public," hospital spokesman Gary Migdol told The New York Times. "It is our intent 100% of the time to keep this information confidential and private, and we work hard every day to ensure that."

According to Chester Wisniewski, a senior security advisor at Sophos Canada, healthcare organizations that outsource work to third parties typically require their business partners to keep the information secure. But many never verify whether this is being done. "Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?" he said in a blog post.

While Student of Fortune said that it's been unable to identify the owner of the account used to upload the spreadsheet. But even if that person does get identified, perhaps this breach should be treated as more of a learning experience. "Rather than track down the person who made the mistake, imposing multi-million dollar fines, and saying it won't happen to us, let us learn from their mistakes," said Wisniewski. "That starts by knowing what to protect, and then making sure it stays protected. Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data."

This Stanford Hospital data breach aside, most data breaches typically go unreported. Part of the problem, according to Ponemon Institute, is the country's patchwork of data breach, including differing notification requirements in 49 states. Furthermore, different types of data--such as financial data or health information--is regulated by different laws and government agencies.

But according to a data breach report released on Thursday by the Digital Forensics Association, which reviewed data breaches from 2005 to 2010, the number of health industry data breaches disclosed has increased markedly since the Health Information Technology for Economic and Clinical Health Act (HITECH Act)--meant to strengthen privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA)--was passed in Nov. 2009. Notably, the HITECH Act requires healthcare organizations to disclose breaches involving unencrypted personal health information, when those breaches affect at least 500 people in one state. The Department of Health and Human Services is now maintaining a database to track such breaches.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) or (2) in backends/.

Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.