Stanford Hospital leaks 20,000 patient records

Filed Under: Data loss, Featured, Privacy

Creative Commons photo of Stanford Hospital courtesy of DoNotLick's Flickr photostreamOver 20,000 records of patients who visited the emergency room at Stanford Hospital in 2009 were posted on the internet for over a year it was disclosed today.

The leaked information included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges according to the New York Times.

The information was posted to the website Student of Fortune, a site where students can pay for tutorials on how to complete their homework.

A spreadsheet with the sensitive information was attached to a question posted to the site asking if someone could explain how to convert the information into a bar graph.

Multi-Specialty Collection Services, a billing contractor for the hospital, is likely the source of the leak.

The question I have is, why was the data not protected (encrypted) and who would think it is a good idea to post this kind of information to a public forum?

I see two problems at work in these types of incidents...

First, medical organizations that are required to protect confidential patient data in the United States under the HIPAA and HITECH acts often outsource work to third parties.

Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?

Second the laws and our attitudes toward data protection are simply outdated. If you think you should treat data differently when it is inside than when it is outside you are doing it wrong...

Confidential information, whether it is sensitive health records or source code to your secret Jesus phone to be released next month cannot be "inside" or "outside". There is no inside.

HIPAA privacy is important banner

Repeat after me... There is no inside. Has your organization ever had a malware infection? Then you don't have an inside. Unfortunately, this case proves that information *does* just want to be free.

If your data requires protection when it is on your USB thumb drive, your laptop and your iPad then it needs protection on your server, in your databases and with your trusted partners.

Eventually I will write up my thoughts on firewall policies and you will see how enraged I get when someone says "We aren't at risk from that worm, our firewalls block incoming connections."

Rather than track down the person who made the mistake, imposing multi-million dollar fines and saying it won't happen to us, let us learn from their mistakes.

Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data. Please?

Creative Commons photo of Stanford Hospital courtesy of DoNotLick's Flickr photostream.

, , , , , ,

You might like

5 Responses to Stanford Hospital leaks 20,000 patient records

  1. jessi slaughter · 1456 days ago

    what on earth is a secret Jesus phone? a google result turns up this blog as the second link. did you just invent it? if there is no inside, you need to get out more!

  2. Barbara · 1456 days ago

    You don't even have to be connected to be exposed.

  3. Dave · 1456 days ago

    Trouble is there are no firm standards to encrypt data

  4. CyberNinja · 1456 days ago

    The secret Jesus phone, is a reference to the next iPhone ;-)

  5. PdotJ · 1456 days ago

    End users are ridiculous. They really don't get it. The data needs to be encrypted - yes but c'mon ppl - I hope someone is fired for leaking that data...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at