Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.
The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.
A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.
"A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information," the statement said.
The statement identified the third-party as Multi Specialties Collection Services, which it described as an "outside vendor's sub-contractor."
The company is conducting its own investigation into what happened. "The Hospital may take further action following completion of the investigation," the statement said. "This incident was not caused by the Hospital, and responsibility has been assumed," by the third-party contractor, it added.
The spreadsheet contained names, diagnosis codes, account numbers as well as admission and discharge dates for about 20,000 patients who visited the Emergency Room at the hospital in 2009. No Social Security numbers, addresses, birthdates, or credit card details were compromised in the breach. Even so, Stanford has agreed to pay for identity theft monitoring services for the victims.
The hospital learned about the spreadsheet this August when a patient noticed it on the Student of Fortune website and informed the hospital about it. The spreadsheet was taken down immediately once the site learned about it.
Stanford has since suspended its relationship with the billing contractor and has asked it to either destroy or securely return all Stanford patient-related data it currently has in its possession.
The spreadsheet had been prepared by the contractor as part of a billing analysis for the hospital.
Student of Fortune did not immediately respond to a request for comment on the incident. But a spokeswoman for Student of Fortune is quoted in the Times report as saying that the site had been unaware of the data until being informed about it by the hospital at which time it promptly took the information down. The spokeswoman said the identity of the poster cannot be determined.
This is the second time in less than two years that Stanford is in the news over a data breach. In January 2010, an employee stole a computer containing protected health information on 532 patients from the hospital's heart center.
The breach resulted in the hospital getting hit with a stiff $250,000 fine by the California Department of Public Health for its alleged failure to notify affected victims of the breach soon enough as required under state laws. Stanford has appealed the fine contending that it acted in a manner consistent with the state's data breach reporting requirements.
HIPAA in the hotseat
The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .
Much of the problems stem from the indiscriminate sharing of sensitive personal information among "legions of secondary users", she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.
"We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated," she said.
The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. "Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant."
"Consent should be obtained for any secondary or new uses of data," she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.