Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Stanford Hospital Breach Exposes 20,000 ER Records

Spreadsheet uploaded to homework-help website exposed sensitive patient data for almost a year.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Stanford Hospital & Clinics is investigating a privacy breach that left records on 20,000 emergency room visitors exposed online for a year.

The records appeared in a spreadsheet uploaded to Student of Fortune, a homework-help website, on Sept. 9, 2010. The spreadsheet was attached to a question about how the data could be converted into a bar graph. While the exposed records didn't include social security numbers, they did include names and diagnosis codes, admission and discharge dates, and account numbers.

The hospital said Thursday it first learned of the data breach after a patient alerted it on Aug. 22, 2011. Four days later, the hospital notified affected patients in a letter written by the hospital's chief compliance and privacy officer, Diane Meyer. Under federal stimulus funding laws, healthcare organizations are required to publicly disclose data breaches in a timely manner.

After discovering the breach, "a full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information," according to a statement released by the hospital. It said it also immediately notified state and federal authorities about the breach.

The hospital said it traced the spreadsheet to a report generated by a subcontractor of one of its vendors, Multi-Specialty Collection Services, which is a subsidiary of Texican, a healthcare facility management vendor (although the Texican LinkedIn profile now resolves to the website of a company known as LuxSci). The hospital said it had severed its relationship with the vendor.

"It is clearly disturbing when this information gets public," hospital spokesman Gary Migdol told The New York Times. "It is our intent 100% of the time to keep this information confidential and private, and we work hard every day to ensure that."

According to Chester Wisniewski, a senior security advisor at Sophos Canada, healthcare organizations that outsource work to third parties typically require their business partners to keep the information secure. But many never verify whether this is being done. "Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?" he said in a blog post.

While Student of Fortune said that it's been unable to identify the owner of the account used to upload the spreadsheet. But even if that person does get identified, perhaps this breach should be treated as more of a learning experience. "Rather than track down the person who made the mistake, imposing multi-million dollar fines, and saying it won't happen to us, let us learn from their mistakes," said Wisniewski. "That starts by knowing what to protect, and then making sure it stays protected. Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data."

This Stanford Hospital data breach aside, most data breaches typically go unreported. Part of the problem, according to Ponemon Institute, is the country's patchwork of data breach, including differing notification requirements in 49 states. Furthermore, different types of data--such as financial data or health information--is regulated by different laws and government agencies.

But according to a data breach report released on Thursday by the Digital Forensics Association, which reviewed data breaches from 2005 to 2010, the number of health industry data breaches disclosed has increased markedly since the Health Information Technology for Economic and Clinical Health Act (HITECH Act)--meant to strengthen privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA)--was passed in Nov. 2009. Notably, the HITECH Act requires healthcare organizations to disclose breaches involving unencrypted personal health information, when those breaches affect at least 500 people in one state. The Department of Health and Human Services is now maintaining a database to track such breaches.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17505
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
CVE-2020-17506
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
CVE-2020-2035
PUBLISHED: 2020-08-12
When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within ...
CVE-2020-5415
PUBLISHED: 2020-08-12
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerabilit...
CVE-2020-6653
PUBLISHED: 2020-08-12
Eaton's Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user's ac...