Stanford Hospital Data Breach Exposes 20,000 Patient Records

A medical data breach exposed the 20,000 private medical records of emergency room patients at Stanford Hospital in Palo Alto, Calif. incorporating detailed information such as names, diagnosis code and discharge dates.

Altogether the leaked information included patient names, diagnosis codes, account numbers, admission and discharge dates and billing information for patents at Stanford Hospital’s emergency room during a six-month period in 2009, according to The New York Times.

The hospital confirmed the breach to CRN, but could not immediately provide details.

The leaked information did not include patient Social Security numbers, birth dates or credit card numbers. Stanford Hospital said it planned to pay for identity protection services for affected patients, according to the The New York Times.

Apparently the compromised patient health-care data had been published to a student Web site, called Student of Fortune, which allows students to solicit tutoring services for their homework, where it remained exposed for almost a year.

The breach, which initially occurred in September 2010, was discovered last month and publicly disclosed by Stanford Hospital on Thursday. Thus far, it remains unclear who perpetrated the breach or the reason it was exposed.

Thus far, hospital officials have sourced the breach to one of the hospital’s contracted partners -- or business associate -- a billing collections agency known as Multi-Specialty Collection Services, which lost a spreadsheet containing the patient information, The Times reported. The spreadsheet was later discovered on the Student of Fortune Web site as an attachment by a patient on August 22.

While the leaked data didn’t include information typically used in identify theft or fraud, security experts contend that the breach could potentially have a significant impact on users, as well as Stanford Hospital, and could be used in identity related activities down the road.

’Although the spreadsheet apparently did not include Social Security numbers, birthdates, credit card accounts or other information that could be used to commit identity theft, this is clearly a breach of personally identifiable health information,’ said Mike Paquette, chief security officer at security firm Corero, in an e-mail. ’We’ve long said that it’s nearly a certainty that if your organization has any information that might be valuable to someone or some organization, then someone will try to steal it for their benefit, and usually at your loss.’

Health-care compliance solution providers contend that with the exposure of any personal information, the biggest issue would likely be identity theft.

’The major concern that comes out of all of this is identity theft,’ said Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider. ’Insurance fraud is significant problem right now, and has been. If there was personally identifying information, it’s quite possible that people of note could be on that list, whose medial history and conditions are basically out there.’

Meanwhile, breaches like the one at Stanford Hospital are becoming increasingly common. Since the federal government enacted the HITECH Act in 2009, a piece of legislation which provides enforcement capabilities under Health Insurance Portability and Accountability Act (HIPAA), more than 300 health-care organizations have suffered medical data breaches, each affecting more than 500 individuals apiece, according to the Department of Health and Human Services .

In addition, the number of individuals affected by improper exposure of sensitive medical health information has totaled more than 11 million over the last two years between September 2009 and June of 2011.

Next: Stanford Hospital Responsible For Lost Patient Data

Thus far, it is unclear if the Stanford Hospital breach was malicious or unintentional. Even still, Paquette said that the hospital could likely be subjected to unwanted fines and other remediation costs.

’In this case, even if it turns out this breach was not part of an actual theft, it may still cost Stanford, since they’ve offered to pay for identity protection services for affected patients,’ Paquette said.

Dylewski said that many of the breaches, like the one Stanford Hospital, were sourced to noncompliant business associates of the health-care organization, housing inadequately protected patient data. But regardless of who was at fault, the principle health-care organization was ultimately responsible for its patients’ private information, he said.

’Stanford’s name is all over it,’ he said. ’Stanford still has all of the risk and liability. Even though it wasn’t Stanford’s fault, they have to manage a lot of the damage control.’

As such, Dylewski said that the Stanford breach underscored the necessity for healthcare organizations to undergo a comprehensive risk assessment, adding that it should also be extended to all of their business associate contractors.

’A lot of business associates rationalize why they don’t have to go through the HIPAA process,’ he said. They try to rationalize why they don’t have to make the investment to do it. This is an indication why it’s necessary and very, very important. My hope is, if the business associates don’t take this seriously, the hospitals and healthcare clients will start putting pressure on them.’