Stanford Hospital medical records data posted on public website, now removed

Download PDF Copy

Sep 9 2011

In what is being described as a major breach of privacy, the medical records of 20,000 emergency room patients were posted on a commercial website for a number of months. This situation raises questions about how to safeguard such information when it passes through numerous hands.

The New York Times: Patient Data Posted Online In Major Breach Of Privacy
A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year. … Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection (Sack, 9/8).

Mercury News: Stanford Medical Records Posted On Public Website, Now Removed
The electronic medical records of 20,000 Stanford Hospital emergency room patients, including names and diagnostic codes, were posted on a commercial website, the hospital disclosed Thursday. Personal information about patients seen between March 1 and Aug. 31, 2009, has been removed from the website and an investigation is under way, according to Stanford Hospital spokesman Gary Migdol. But the startling breach -; caused by a vendor's subcontractor, who has assumed responsibility -; raises questions about the privacy of medical information as it passes through many hands (Krieger, 9/8).

San Francisco Chronicle: Stanford Hospital ER Data Put On Website For Year
Confidential medical data -; including patient names and diagnoses -; for 20,000 people seen in Stanford Hospital's emergency room was posted on a public website for nearly a year before hospital officials found out about the security breach. Hospital officials, who learned of the breach last month, said Thursday that the information has been removed and that they are investigating the incident. Stanford had sent names, diagnosis codes, account numbers, admission dates and charges to an outside vendor, Multi Specialties Collection Services in Los Angeles, which handles billing for the hospital, said Stanford spokesman Gary Migdol (Allday, 9/9).

This article was reprinted from kaiserhealthnews.org with permission from the Henry J. Kaiser Family Foundation. Kaiser Health News, an editorially independent news service, is a program of the Kaiser Family Foundation, a nonpartisan health care policy research organization unaffiliated with Kaiser Permanente.