Stanford Hospital Contractor Leaks 20,000 Patient Records to Public Website

Stanford Hospital discovered last month that a contractor had posted a private database containing medical records of 20,000 patients to a public homework assistance Website in search of help on how to create bar graphs.

A data privacy breach at Stanford University's hospital has resulted in medical records for 20,000 emergency room patients being posted on a public Website for nearly a year, according to The New York Times.

A patient notified the hospital of the breach Aug. 22, and the hospital has been investigating how a detailed spreadsheet containing sensitive patient information wound up being posted on a commercial site, The New York Times reported Sept. 8. The compromised information belonged to patients who went to Stanford Hospital's emergency room over a six-month period in 2009.

The records included names, diagnosis codes, account numbers, dates of admission and discharge, and billing charges. Social Security numbers, birth dates, credit card accounts or other information that could potentially result in identity theft was not exposed. Even so, the hospital is offering free identity-protection services to all affected patients.

"It is clearly disturbing when this information gets public," Diane Meyer, Stanford Hospital's chief privacy officer, told the Times, adding, "It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that."

The nature of the incident was "quite strange," but it doesn't appear that it was part of a widespread breach, Mike Paquette, CSO at Corero, told eWEEK.

The spreadsheet originated at one of the hospital's vendors, a billing contractor called Multi-Specialty Collection Services. The spreadsheet appeared on a Website called Student of Fortune, where students pay for assistance with schoolwork. The spreadsheet was part of a question on how to convert the data into a bar graph and appeared Sept. 9, 2010. Student of Fortune removed the post with the spreadsheet immediately after being contacted by Stanford last month.

"It's baffling why anyone would post a spreadsheet with this kind of personal and sensitive information to a public forum looking for advice on how to create a graph," Geoff Webb, director of product marketing at Credant Technologies, told eWEEK.

Stanford Hospital has canceled its contract with Multi-Specialty Collection Services and received a written promise that all hospital-related files would be either destroyed or returned.

Unfortunately, this kind of breach is becoming altogether common as information is shared between partners, customers and contractors to reduce costs and improve services, Webb said. The idea of protected information staying within the network perimeter is "effectively dead," said Webb.

The offending employee ignored both policy and "frankly, any kind of good sense," Webb said, adding that "a number of things either went wrong or were simply missing" at Stanford Hospital, such as the ability to enforce policies around protecting sensitive health care information and technical controls to prevent this kind of misuse.

While it's essential that organizations have to have strong perimeter security and comprehensive authentication and authorization policies in place, organizations have to "rigorously" control all private data leaving the network, Phil Waltson, vice president of development and product management at Layer 7 Technologies, told eWEEK.

Security Information and Event Management (SIEM) products can provide continuous monitoring of patient data, the systems and networks on which it resides and the individuals accessing it. When deployed properly, SIEM would send health care organizations an alert for unauthorized data access or anomalous activity, Mike Reagan, vice president of marketing at LogRhythm, told eWEEK.

Reagan acknowledged that even if Stanford Hospital itself had been "doing all the right things" to protect the data, they didn't seem to be demanding the same of their contractors and service providers.

"It's like going into battle wearing Kevlar pants and a T-shirt. It looks like the collection agency from which this information was leaked may have been wearing a T-shirt," Reagan said.

Considering the kind of sensitive information this spreadsheet contained, there should have been various security controls ensuring that the personal health information remained protected, John Linkous, vice president and chief security and compliance officer at eIQnetworks, told eWEEK.

The security controls should have been in place for the entire lifecycle of the data, from when it was collected through to secure destruction after it was no longer needed. This isn't just proper security, as there are a "plethora of mandates" dictating how the document should have been protected, including Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws, Linkous said.

Education is critical. Employees have to be taught that information has to be private. No matter how much training there is, the organization has to assume that at some point, information will be exposed. So there needs to be technology in place to "step in to protect" data when the employee still acts contrary to training, Webb said.