Mislaid hospital data another cause for unease

Prestigious Stanford Hospital confirms that patient data handled by third-party contractor wound up exposed online for almost a year, The New York Times reports.

Edward Moyer
Edward Moyer Senior Editor / News

Edward Moyer is a senior editor at CNET News and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.

2 min read

If recent hacking episodes--not to mention the casual attitude toward privacy displayed by some social networks--have made you a little queasy about our hyperdigitized, hypernetworked society, recent news from Stanford Hospital in Palo Alto, Calif., isn't likely to make you feel much better.

The New York Times' Kevin Sack reports that the hospital has confirmed a rather bizarre episode. A spreadsheet listing the names; diagnosis codes; account numbers; admission and discharge dates; and billing charges for 20,000 emergency room patients wound up on a Web site that enables students to pay people for help with their homework--as part of a question on how to illustrate the data in a bar graph.

The spreadsheet, which was online for almost a year before being spotted by a patient, was apparently part of a billing-and-payment analysis conducted for the hospital by a third-party consultant. The hospital is currently trying to suss out how the file slipped the confines of the contractor's computer systems to metamorphose from an example of professional analysis into an example of graphics or statistics homework.

The hospital, the Times' Sack reports, said it had taken "aggressive steps" to have the information removed, once it had been discovered. And the parent company of homework site Student of Fortune said it immediately pulled the data, which it hadn't known about, upon being contacted by the hospital. Sack also says the parent of Multi-Specialty Collection Services, the billing contractor, did not respond to messages left by the paper.

The unwanted exposure of personal medical records clearly puts patient privacy at risk. It can also be a conduit to fraud attempts. Writing about the Stanford Hospital breach this morning, Silicon Valley-based Mercurynews.com reports, citing a Health Information Trust Alliance executive, that a health record can fetch $50 on the black market because it provides a running start at filing a fraudulent insurance claim.

The episode is one of many that have surfaced since the federal government passed the stimulus package, which requires timely reporting of data breaches, Sack notes. From September 2009 to June 2011, the government was informed of 306 breaches that affected at least 500 people each. And 30,000 smaller breaches affected more than 72,000 people from September 2009 to December 2010.

Almost 20 percent of breaches, and more than half the records exposed, involved outside contractors, an official with the Health Information Trust Alliance told the Times, adding that health care providers need to watch over their vendors, rather than simply trusting a legal contract to ensure patient privacy.