Stanford (CA) Hospital & Clinics (SHC) reported on its website on October 3 that it found a vendor's electronic file that included certain patient information on a student homework website and removed it the following day. But the information was out there for nearly a year.
According to Stanford, Multi-Specialty Collection Services, LLC (MSCS), a vendor, received encrypted patient information from the hospital for business purposes. MSCS decrypted the data and used it to create a spreadsheet. Then an MSCS staff member provided it to an unauthorized person who posted it on a student homework website to get help creating a bar graph and charts.
SHC immediately suspended all work with the vendor and demanded that MSCS lock down all patient information. SHC terminated the vendor relationship.
The vendor's file, posted September 9, 2010, included information on about 20,000 patients treated in SHC's emergency department from March 1 through August 31, 2009, including:
* Patient's name
* Medical record
* Hospital account numbers
* Emergency department admission/discharge date
* Diagnosis codes related to the emergency department visit
* Billing charges