Stanford Hospital & Clinics Data Breach (2011)

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year. A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year. The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospitals chief privacy officer. The hospital took aggressive steps, and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said. It is clearly disturbing when this information gets public, he said. It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that. Diane Dobson, of Santa Clara, Calif., said her jaw dropped on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said had received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked to a mental health diagnosis. My son, I can tell you, is fragile and confused enough that this would have sent him over the edge, Ms. Dobson said, saying she decided to speak publicly now because of her frustration with the breach. Everyone with an electronic medical record is at risk, and that means everyone. Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people have been improperly exposed during the past two years alone. Since passage of the federal stimulus package, which includes provisions requiring prompt public reporting of breaches, the government has received notice of 306 cases from September 2009 to June 2011 that affected at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, affecting more than 72,000 people. The major breaches a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails took place in 44 states. One occurred at the Lucile Packard Childrens Hospital at Stanford in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised. But the California Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. The hospital appealed the fine, and a settlement has been reached but not yet disclosed, a department spokesman said. The Stanford episode reinforces the fear that even the most prestigious medical centers are not immune to risk.