Sponsored By

Stanford Hospital Breach Exposes 20,000 ER RecordsStanford Hospital Breach Exposes 20,000 ER Records

Spreadsheet uploaded to homework-help website exposed sensitive patient data for almost a year.

Mathew J. Schwartz

September 9, 2011

4 Min Read

Strategic Security Survey: Global Threat, LocalPain

Strategic Security Survey: Global Threat, LocalPain

Strategic Security Survey: Global Threat, Local Pain (click image for larger view and for full slideshow)

Stanford Hospital & Clinics is investigating a privacy breach that left records on 20,000 emergency room visitors exposed online for a year.

The records appeared in a spreadsheet uploaded to Student of Fortune, a homework-help website, on Sept. 9, 2010. The spreadsheet was attached to a question about how the data could be converted into a bar graph. While the exposed records didn't include social security numbers, they did include names and diagnosis codes, admission and discharge dates, and account numbers.

The hospital said Thursday it first learned of the data breach after a patient alerted it on Aug. 22, 2011. Four days later, the hospital notified affected patients in a letter written by the hospital's chief compliance and privacy officer, Diane Meyer. Under federal stimulus funding laws, healthcare organizations are required to publicly disclose data breaches in a timely manner.

After discovering the breach, "a full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information," according to a statement released by the hospital. It said it also immediately notified state and federal authorities about the breach.

The hospital said it traced the spreadsheet to a report generated by a subcontractor of one of its vendors, Multi-Specialty Collection Services, which is a subsidiary of Texican, a healthcare facility management vendor (although the Texican LinkedIn profile now resolves to the website of a company known as LuxSci). The hospital said it had severed its relationship with the vendor.

"It is clearly disturbing when this information gets public," hospital spokesman Gary Migdol told The New York Times. "It is our intent 100% of the time to keep this information confidential and private, and we work hard every day to ensure that."

According to Chester Wisniewski, a senior security advisor at Sophos Canada, healthcare organizations that outsource work to third parties typically require their business partners to keep the information secure. But many never verify whether this is being done. "Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?" he said in a blog post.

While Student of Fortune said that it's been unable to identify the owner of the account used to upload the spreadsheet. But even if that person does get identified, perhaps this breach should be treated as more of a learning experience. "Rather than track down the person who made the mistake, imposing multi-million dollar fines, and saying it won't happen to us, let us learn from their mistakes," said Wisniewski. "That starts by knowing what to protect, and then making sure it stays protected. Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data."

This Stanford Hospital data breach aside, most data breaches typically go unreported. Part of the problem, according to Ponemon Institute, is the country's patchwork of data breach, including differing notification requirements in 49 states. Furthermore, different types of data--such as financial data or health information--is regulated by different laws and government agencies.

But according to a data breach report released on Thursday by the Digital Forensics Association, which reviewed data breaches from 2005 to 2010, the number of health industry data breaches disclosed has increased markedly since the Health Information Technology for Economic and Clinical Health Act (HITECH Act)--meant to strengthen privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA)--was passed in Nov. 2009. Notably, the HITECH Act requires healthcare organizations to disclose breaches involving unencrypted personal health information, when those breaches affect at least 500 people in one state. The Department of Health and Human Services is now maintaining a database to track such breaches.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights