Over 20,000 records of patients who visited the emergency room at Stanford Hospital in 2009 were posted on the internet for over a year it was disclosed today.
The leaked information included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges according to the New York Times.
The information was posted to the website Student of Fortune, a site where students can pay for tutorials on how to complete their homework.
A spreadsheet with the sensitive information was attached to a question posted to the site asking if someone could explain how to convert the information into a bar graph.
Multi-Specialty Collection Services, a billing contractor for the hospital, is likely the source of the leak.
The question I have is, why was the data not protected (encrypted) and who would think it is a good idea to post this kind of information to a public forum?
I see two problems at work in these types of incidents…
First, medical organizations that are required to protect confidential patient data in the United States under the HIPAA and HITECH acts often outsource work to third parties.
Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?
Second the laws and our attitudes toward data protection are simply outdated. If you think you should treat data differently when it is inside than when it is outside you are doing it wrong…
Confidential information, whether it is sensitive health records or source code to your secret Jesus phone to be released next month cannot be “inside” or “outside”. There is no inside.
Repeat after me… There is no inside. Has your organization ever had a malware infection? Then you don’t have an inside. Unfortunately, this case proves that information *does* just want to be free.
If your data requires protection when it is on your USB thumb drive, your laptop and your iPad then it needs protection on your server, in your databases and with your trusted partners.
Eventually I will write up my thoughts on firewall policies and you will see how enraged I get when someone says “We aren’t at risk from that worm, our firewalls block incoming connections.”
Rather than track down the person who made the mistake, imposing multi-million dollar fines and saying it won’t happen to us, let us learn from their mistakes.
Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data. Please?
Creative Commons photo of Stanford Hospital courtesy of DoNotLick’s Flickr photostream.