Stanford University Hospital said it is investigating a data breach reportedly involving records of 20,000 patients seen in the emergency room between March and August of 2009.
The patients’ names, diagnosis codes and billing amounts — but not Social Security numbers or credit card information — were posted on a public website for nearly a year before being removed Aug. 22.
In a letter to the patients, Stanford apologized and offered free identity-protection services.
The Stanford breach was one of many such incidents in recent years as medical institutions work to ramp up their practices amid stiffer federal regulations and fines, an industry expert said.
In the 21-month period ending in June, hospitals, doctors and insurers reported 306 incidents involving 11.6 million medical records, according to Bryan Cline, vice-president of the HITRUST Alliance. HITRUST is a Texas-based industry consortium that has established a “common security framework” for health information.
Federal law requires public reporting within 90 days of breaches that involve more than 500 individuals. Smaller breaches must be reported to the Secretary of Health and Human Services.
“The drive to improve (medical data) security is catching up with financial institutions, but it’s a cost issue,” Cline said.
“The health care industry is like an aircraft carrier. Even when you want to turn it around it takes a long time.”
Much of the compromised data involved third parties, as in the Stanford case, he said.
The compromised data file was created by a subcontractor of an outside vendor, Multi Specialties Collection Service, Stanford said in a statement.
The data ended up on a website called Student of Fortune, according to the New York Times. The site provides homework help, and the data was used to show how to create a bar graph.
Stanford said it has suspended work with the vendor and is investigating how the data came to be posted on the web.
Multi Specialties Collection Services is conducting its own investigation into how its contractor caused the information to be posted, Stanford said.
Cline calculated that the size of the Stanford breach falls roughly at the median of such incidents. In an analysis of publicly reported data, he said he counted 22 cases involving more than 50,000 patients, 16 involving more than 100,000 and three involving more than 1 million.
More than 30 other medical data breaches, each involving 500 or more California patients, have been reported, including a 2006 incident involving 532 patients at Lucile Packard Children’s Hospital.
Other California institutions reporting data breaches have included Kaiser Permanente Medical Care Program (a theft affecting 15,500 patients in 2005) and UCSF (a 2005 theft affecting 7,300 patients and another hacking incident that year involving 610 patient records).
There really needs to be a federal law that requires that all customer (or patient) data that is personal should be encrypted, and stored in such a way that a complete client record can not be easily reconstructed.
Large institutions also ought to be spend more on security, which included security audits.
There will always be people who lose, or abuse, passwords, so creating a entry-proof system is not likely. However, there is no reason that client records should be stored in clear text, making access to the company/institutions data easy “pickins” once the “perp” is inside the computer system.
It’s time for the Feds to get involved.
Current privacy laws are a joke, Look up the oh so famous “privacy” law- HIPAA and what it stands for, (health insurance portability and accountability act) Privacy was just thrown in as a freebie. Incidents like this infuriate me, as both a practitioner and a recent student gone back to school. While it obviously does not protect data like such, it gets in the way of learning, education and proper treatment of patients.
Feds screw everything up, we don’t need more “FEDS” telling us what to do. What we need is a collaboration of healthcare providers and security experts to build a system free of politics. The insurance companies and the politicians they are in bed with are part of the problem, and they are the ones that set up the current “standards” where this can happen, but one practitioner has to whisper to another when it comes to talking about how the patient ended up doing at the other unit or facility.
WELL, this person should be penalized by getting stripped of their credentials be balckballed at every hospital again.
even if its a student or practitioners…they know how did this! it was a school project!
http://www.foxnews.com/us/2011/09/09/report-breach-leads-to-online-data-posting/?test=latestnews
this has more on this issue than what palo online doesnt say!!
My wife and I are outraged. This is the second time in two years that she has been the victim of Stanford’s, carelessness, the first time when a laptop with employee-retiree data was taken with other critical information. Yes, a $1M insurance policy is offered, but still the info is out there, and the burden is on the employee/retiree to straighten out the mess.
here is today’s coverage in the Mercury News, with input from privacy experts:
http://www.mercurynews.com/bay-area-news/ci_18856078
Stanford is a very “relaxed” for security stuff. It seems no one wants to raise their hand to enforce it. Years ago, I had a job interview with a dept (don’t want to mention which one to save their face) that handles some sensitive patient data. During the interview, one person said that they have lots of patient data for research but the data is not that secured and they are worried…at least they know it!!!. I was surprised what that person told me. So, I made some comments about Stanford’s bad practice. Ok, this caused my job…. I am happily working at other place instead of Stanford.
From the article in the MerkyNews:
> These vendors, far from the hospital, “may not realize their
> obligations,” Cline said. While required to protect patient privacy
> under federal law, “they don’t understand the implications of that,”
> he said. “They may not even have a security person.”
While this is true, what’s astounding is that with a zillion lawyers hovering around hospitals (ambulance chasers to be sure) that contracts involving contractors do not specify some level of security that is expected of the Contractors, and subcontractors. Certainly once a 3rd-party gets involved, it might pay to require an audit by a security auditor of the Hospitals choice. This, of course, increases the cost of the IT project, but these cost increases have to be much smaller than the liability incurred when data breaches end up revealing no security of client/patient data by the Hospital.
It’s understandable that small hospitals in podunk might make these mistakes–but Stanford, right here in the middle of the Silicon Valley?
Last year the Palo Alto Clinic (Sutter) outsourced its billing and laid off the local Clinic employees. The new company is/was located in Sacramento and Salt Lake City. (There have been countless problems ever since.) Then someone in Sacramento
left a laptop someplace with priceless sensitive information compromising the personal data of thousands of patients. Yes, they patients were offered ‘insurance’ and crediting checking services, the same company that Stanford is offering the thousands of patients whose personal information was compromised in this latest mess. But this breach was on-going for a year and was probably copied many times.
Podunk hospitals are not as Podunk as you may think, infact putting aside obvious specialty units/depts such as cardiac and neuro surgery, Stanford and this fictitious “everything is better” we are in silicon valley, is exactly that! fictitious.
Stanford Hospital has an undeserved reputation for providing world class care. Many of my friends refuse to go there because of the extremely slow and poor care. Complaints are met with silence or rudeness. This is just another in a long list of reasons to avoid Stanford Hospital. The Peninsula would be better off if it closed down!
I’d think if there was really a market demand for assured medical privacy, someone on Sand Hill Road would fund a start-up to facilitate receiving health care anonymously and rendering payment anonymously. I’m sure a time-varying secure key pseudonym system could be developed, secured and bonded. Except the government would demand access to the decoded client list.
In response to the quality of care comment – my wife and I have had various medical issues over the years and we have found Stanford care to be excellent. I would extend this out to all the different people we interacted with there. Amongst our friends I have found exactly the same opinion.
My personal data was one of the files. Nothing much I can do now. I just locked my barn door by signing up for the free identity security protection.
Another case of things going wrong by subcontracting work out.