Confidential medical data - including patient names and diagnoses - for 20,000 people seen in Stanford Hospital's emergency room was posted on a public website for nearly a year before hospital officials found out about the security breach.
According to a San Francisco Chronicle report, hospital officials, who learned of the breach last month, said that the information has been removed and that they are investigating the incident.
"Stanford had sent names, diagnosis codes, account numbers, admission dates and charges to an outside vendor, Multi Specialties Collection Services in Los Angeles, which handles billing for the hospital," the article said. "The billing vendor passed the information on to a subcontractor, which created a spreadsheet out of the data. Somehow that spreadsheet was posted on Sept. 9 last year to a website called Student of Fortune, in a section where students pay for homework assistance. The spreadsheet was uploaded as an attachment to a question about making bar graphs."
The spreadsheet remained on the website until Aug. 22, when a patient found it and reported it to Stanford. The spreadsheet was removed within 24 hours and patients were notified of the security breach a few days late.
The posted spreadsheet did not include Social Security numbers, birthdates or any other data that could be used for identity theft, and the information was sent in an attachment and thus would not turn up in an Internet search, yet the hospital is still offering free identity protection services to those whose information was made public, the article said.