For nearly a year, medical records for twenty-thousand emergency room patients at a Palo Alto, California hospital were available online for public viewing. The breach included names of patients and diagnosis codes, the hospital has confirmed to the New York Times.
Although medical security breaches are not uncommon, the Stanford Hospital breach was notable for the length of time that the data remained publicly available without detection.
The hospital, since being made aware of the information leak, has been investigating how the detailed spreadsheet containing the information made its way from one of its vendors, to a web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
Gary Migdol, a spokesman for Stanford Hospital and Clinics, told the International Business Times that the spreadsheet first appeared on the site on in early September of last year, as an attachment to a question about how to convert the data into a bar graph.
Despite government regulations strengthening the requirement of public reporting of breaches and imposing heavy fines, experts on medical security said this latest breach highlights the increasing difficulty of keeping data secure while being shared by a growing number of subcontractors and systems.
The subcontractor of the vendor, Multi Specialties Collection Services, created the spreadsheet as part of a billing-and-payment analysis for Stanford, according to Migdol. The vendor did not return calls by deadline and the hospital has suspended business with the company upon learning of the breach, the Mercury Times reports.
Bryan S. Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers, points out that paper records can be lost, stolen or insecurely disposed of. With medical records being moved into digital formats, large breaches are emerging as a growing problem, he told mercury News.
Vendors and subcontractors are common in the medical billing industry and many, “may not realize their obligations,” Cline added. While required to protect patient privacy under federal law, “they don´t understand the implications of that,” he said. “They may not even have a security person.”
The contracts that hospitals sign with vendors give them the right to recover any costs if records are breached. “But it hasn´t worked,” Cline told Mercury New reporter Lisa M. Krieger. “It´s a model based on trust — ℠I trust you to do the right thing because I can sue.´ There´s nothing about assuring that third parties can actually protect the information.”
Amber Yoo, spokeswoman for Privacy Rights Clearinghouse, a San Diego-based organization dedicated to protecting the privacy of American consumers, agreed. “A hospital may have trained all its staff, but the minute it leaves them and goes to a third party, they are giving away an element of control,” she told Krieger.
A health record is worth about $50 on the black market, compared to only $1 for a Social Security number, Cline said. It can be sold to people who lack health insurance and used to file fraudulent claims, he said.
“Any time you are putting sensitive information onto an electronic database, you are introducing risk,” Yoo said. And once records are online, “it is very hard to truly delete them. There are websites where you can look at archival versions of web pages.”
Americans expect doctors and hospitals to use their records only with consent, said Dr. Deborah C. Peel, founder of the watchdog group Patient Privacy Rights, “not to give them to legions of contractors and strangers. Existing regulations are just not strong enough to protect Americans´ sensitive health information. Today´s electronic health systems are not safe or trustworthy.”
Stanford notified affected patients within four days of the discovery and also arranged for free identity protection services.
On the Net: