Stanford Discovers Medical Record Leak

Last month Stanford University's hospital discovered a massive privacy breach when 20,000 emergency room records appeared online.

The medical diagnosis codes and names of patients appeared on a website called Student of Fortune, where users can essentially pay people to help with their homework, says Valleywag.

Gary Migdol, a spokesperson for Stanford Hospital and Clinics told the NYT that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

So what it seems, is that someone at the billing contractor was trying to turn the sensitive data into a graph of some sort, and asked the entire world for help on how to do it.


Migdol said the spreadsheet containted diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital's ER, over a six month period.

The information did not, however, include Social Security numbers , birthdates or credit card information.

The Hospital released the following statement:

"An electronic file that an outside vendor’s sub-contractor created and caused to be posted to a website contained limited information about patients seen in the Emergency Department of Stanford Hospital & Clinics between March 1 and August 31, 2009. The Hospital discovered this on August 22, 2011, and immediately took action to ensure removal of the file from the website, which was done within 24 hours. A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information. The vendor, Multi Specialties Collection Services, is conducting its own investigation into how its contractor caused patient information to be posted to the website and the Hospital may take further action following completion of the investigation. Information in the electronic file was limited to names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit, and billing charges. Information commonly associated with identity theft, such as credit card and social security numbers, was not included.

The Hospital is strongly committed to protecting our patients’ information and immediately suspended work with the vendor. The Hospital notified affected patients quickly and also arranged for free identity protection services, though the data involved is not associated with identity theft.

This incident was not caused by the Hospital, and responsibility has been assumed by a contractor working with the vendor.

Any patients who have received the letter and are concerned may call 855-731-6016 for assistance."

Contact Us