Stanford University Hospital said it is investigating a data breach reportedly involving records of 20,000 patients seen in the emergency room between March and August of 2009.
The patients' names, diagnosis codes and billing amounts -- but not Social Security numbers or credit card information -- were posted on a public website for nearly a year before being removed Aug. 22.
In a letter to the patients, Stanford apologized and offered free identity-protection services.
The Stanford breach was one of many such incidents in recent years as medical institutions work to ramp up their practices amid stiffer federal regulations and fines, an industry expert said.
In the 21-month period ending in June, hospitals, doctors and insurers reported 306 incidents involving 11.6 million medical records, according to Bryan Cline, vice-president of the HITRUST Alliance. HITRUST is a Texas-based industry consortium that has established a "common security framework" for health information.
Federal law requires public reporting within 90 days of breaches that involve more than 500 individuals. Smaller breaches must be reported to the Secretary of Health and Human Services.
"The drive to improve (medical data) security is catching up with financial institutions, but it's a cost issue," Cline said.
"The health care industry is like an aircraft carrier. Even when you want to turn it around it takes a long time."
Much of the compromised data involved third parties, as in the Stanford case, he said.
The compromised data file was created by a subcontractor of an outside vendor, Multi Specialties Collection Service, Stanford said in a statement.
The data ended up on a website called Student of Fortune, according to the New York Times. The site provides homework help, and the data was used to show how to create a bar graph.
Stanford said it has suspended work with the vendor and is investigating how the data came to be posted on the web.
Multi Specialties Collection Services is conducting its own investigation into how its contractor caused the information to be posted, Stanford said.
Cline calculated that the size of the Stanford breach falls roughly at the median of such incidents. In an analysis of publicly reported data, he said he counted 22 cases involving more than 50,000 patients, 16 involving more than 100,000 and three involving more than 1 million.
More than 30 other medical data breaches, each involving 500 or more California patients, have been reported, including a 2006 incident involving 532 patients at Lucile Packard Children's Hospital.
Other California institutions reporting data breaches have included Kaiser Permanente Medical Care Program (a theft affecting 15,500 patients in 2005) and UCSF (a 2005 theft affecting 7,300 patients and another hacking incident that year involving 610 patient records).