Stanford Reports Website Breach

Vendor Made Inappropriate Post
Stanford Reports Website Breach
Stanford Hospital & Clinics reports that a business associate's subcontractor caused a health information breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website.

In a statement, the academic medical center in Palo Alto, Calif., said a subcontractor of its business associate, Multi Specialties Collection Services, "created and caused to be posted to a website" an electronic file of patient information. The information about patients treated between March 1 and Aug. 31, 2009, included patient names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit and billing charges.

Although the information did not include credit card information or Social Security numbers, Stanford said its statement that it's offering those affected free identity protection services.

The hospital discovered the posting Aug. 22 and took action to ensure the file was removed within 24 hours, according to the statement. The New York Times reported that the information, contained in a spreadsheet, was posted for nearly a year on a website for Student of Fortune, which enables students to solicit paid assistance with their schoolwork. Multi-Specialties Collection Services created the spreadsheet as part of a billing and payment analysis for the hospital, Stanford spokesman Gary Migdol told the newspaper.

In its statement about the breach, the medical center said: "Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred in violation of strong contract commitments to safeguard the privacy and security of patient information. The vendor ... is conducting its own investigation into how its contractor caused patient information to be posted to the website, and the hospital may take further action following completion of the investigation."

Stanford said it had "suspended work with the vendor." The hospital would provide no further comment beyond its statement.

Business Associates

The Department of Health and Human Services' Office for Civil Rights' list of major health information breaches shows that about 20 percent of the incidents involve business associates.

When it comes to breaches, business associates are "one of the biggest vulnerabilities," says Adam Greene, a former OCR official and now a partner at the law firm Davis Wright Tremaine. "Nine of the top 20 breaches, based on the number of individuals affected, have included business associates."

Security consultant Tom Walsh, president of healthcare security consultant Tom Walsh, president of Tom Walsh Consulting, notes, "Obtaining satisfactory assurances from business associates of appropriate safeguards is required by HIPAA. Unfortunately, when a business associate causes a breach, the name of the covered entity is listed first [on the OCR list], even when it is not their fault."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.