California: "Privacy Breach: Hospital-Patient Data Online for Nearly a Year Before Detection"

From Consumer Reports Electronics Blog:

A spreadsheet containing private data for 20,000 emergency-room patients at Stanford Hospital in California appeared on a public website on September 9, 2010. The information was discovered and reported by a patient on August 22 of this year. The website, Student of Fortune, lets students obtain paid assistance with their schoolwork.

From the New York Times:

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

[Clip]

The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, [Mr. Gary] Migdol [Spokesman for Stanford Hospital and Clinics,] said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.

The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

Filed under: Data Files, News, Reports