Stanford Reports Website BreachVendor Made Inappropriate Post
In a statement, the academic medical center in Palo Alto, Calif., said a subcontractor of its business associate, Multi Specialties Collection Services, "created and caused to be posted to a website" an electronic file of patient information. The information about patients treated between March 1 and Aug. 31, 2009, included patient names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit and billing charges.
Although the information did not include credit card information or Social Security numbers, Stanford said its statement that it's offering those affected free identity protection services.
The hospital discovered the posting Aug. 22 and took action to ensure the file was removed within 24 hours, according to the statement. The New York Times reported that the information, contained in a spreadsheet, was posted for nearly a year on a website for Student of Fortune, which enables students to solicit paid assistance with their schoolwork. Multi-Specialties Collection Services created the spreadsheet as part of a billing and payment analysis for the hospital, Stanford spokesman Gary Migdol told the newspaper.
In its statement about the breach, the medical center said: "Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred in violation of strong contract commitments to safeguard the privacy and security of patient information. The vendor ... is conducting its own investigation into how its contractor caused patient information to be posted to the website, and the hospital may take further action following completion of the investigation."
Stanford said it had "suspended work with the vendor." The hospital would provide no further comment beyond its statement.
Business AssociatesThe Department of Health and Human Services' Office for Civil Rights' list of major health information breaches shows that about 20 percent of the incidents involve business associates.
When it comes to breaches, business associates are "one of the biggest vulnerabilities," says Adam Greene, a former OCR official and now a partner at the law firm Davis Wright Tremaine. "Nine of the top 20 breaches, based on the number of individuals affected, have included business associates."
Security consultant Tom Walsh, president of healthcare security consultant Tom Walsh, president of Tom Walsh Consulting, notes, "Obtaining satisfactory assurances from business associates of appropriate safeguards is required by HIPAA. Unfortunately, when a business associate causes a breach, the name of the covered entity is listed first [on the OCR list], even when it is not their fault."