A medical-privacy breach at Stanford University's hospital led to the public posting of medical records for 20,000 emergency-room patients, including names and diagnosis codes, on a commercial website for nearly a year, hospital officials confirmed.

Share story

A medical-privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency-room patients, including names and diagnosis codes, on a commercial website for nearly a year, hospital officials confirmed.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from a billing contractor identified as Multi-specialty Collection Services to the “Student of Fortune” website, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet appeared on the site Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford incident spotlights the vulnerability posed by legions of outside contractors that gain access to private data.

The spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at the emergency room during six months in 2009, Migdol said.

It did not include Social Security numbers, birth dates, credit-card accounts or other information used to perpetrate identity theft, he said, but the hospital is offering free identity-protection services to affected patients.

The breach was discovered by a patient and reported to the hospital Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer.

The hospital took “aggressive steps,” and the website removed the post the next day, Meyer wrote.

The Stanford incident is not rare. Records compiled by the Department of Health and Human Services show that personal medical data for more than 11 million people have been improperly exposed during the past two years.

The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward emails — took place in 44 states.

Migdol said the hospital had concluded “there is no employee from Stanford Hospital who has done anything impermissible.” He said he expected the Department of Health and Human Services to conduct an investigation.

Multi-Specialty Collection Services, based in Los Angeles, could not be reached for comment.

Migdol said the hospital immediately suspended its relationship with the contractor and received written certification that previous files would be destroyed or returned securely.