Breach of info for 20K patients at Stanford underscores gaps in business associate security

Stanford University Hospital in Palo Alto, Calif., recently found that a spreadsheet containing health data on about 20,000 emergency department patients had been posted on a website unrelated to the hospital for about a year, according to the New York Times. Among the items of personal health information (PHI) exposed to public view were patient names, diagnosis codes, admission and discharge dates, and billing charges.

Once again, this major security breach highlights the fact that misuse or loss of PHI by employees and business associates is a much bigger security risk than hacking or malicious attacks on health information systems. A report analyzing government security breach data shows that hacking was involved in only six percent of incidents in which security was compromised.

In the Stanford case, a Los Angeles billing contractor named Multi-Specialty Collection Services had obtained the spreadsheet from the healthcare organization in the course of its normal operations. The spreadsheet ended up on a website called Student of Fortune, which allows students to hire people to help them with their homework. It was first posted to the site on Sept. 9, 2010, as an attachment to a question about how to construct a bar graph. Stanford apparently was unaware of the situation until a patient reported it to the hospital a couple of weeks ago.

Stanford has suspended the billing contractor, launched an investigation, and is offering free identity theft protection services to affected patients, even though no social security numbers or other identifying information were on the spreadsheet. Multi-Specialty has assumed responsibility for the breach.

Interestingly, the new HIPAA security rules, which are expected to be finalized in the next few months, increase the security requirements for business associates of healthcare providers. But as the Stanford incident shows, it's very difficult to ride herd on these business associates, regardless of what's in their contracts. 

To learn more:
- read the New York Times article
- see the InformationWeek piece

Read more on