Details have been released about how a Stanford Hospital & Clinics data breach affecting 20,000 emergency department patients occurred, the New York Times reports (Sack, New York Times, 10/5).
The health information breach involved the exposure of a detailed spreadsheet containing unencrypted data on patients treated at the hospital's ED between March 1, 2009, and Aug. 31, 2009.
The spreadsheet included such data as:
- Diagnosis codes;
- Admission and discharge dates; and
- Billing charges.
No Social Security numbers or credit card information were included.
Although the spreadsheet had been in the possession of a Los Angeles-based billing contractor called Multi-Specialty Collection Services, the document was discovered on a commercial website that allows students to seek paid help with their schoolwork.
The spreadsheet first appeared on the site in September 2010. A patient found the spreadsheet nearly a year after it first appeared on the site and reported it to the hospital on Aug. 22 (California Healthline, 10/4).
How It Happened
Joe Reyna, president of MSCS, wrote in an e-mail that the company's marketing vendor, Frank Corcino of Corcino & Associates, received the data directly from Stanford Hospital. Corcino converted the patient information to a new spreadsheet that he forwarded to a woman he was considering for a short-term employment opportunity.
Stanford officials said the job applicant was tasked with converting the spreadsheet into charts and a bar graph. The applicant, who was unaware the spreadsheet included actual patient data, posted the spreadsheet as an attachment on the school work-help website studentoffortune.com.
Corcino in his first public statement said the breach was the result of "a chain of mistakes, which are far too easy to make when handling electronic data." He faulted Stanford for sending him unnecessary personal information and MSCS for not providing him with proper training, the Times reports. However, Corcino did not explain how or why he sent the data to the job applicant.
Lisa Lapin -- Stanford University's assistant vice president for university communications -- said the hospital sent the data to Corcino in encrypted form because he requested it on behalf of MSCS to analyze a method for improving billing collections.
The hospital said in a statement, "This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract and is shockingly irresponsible."
Ellyn Sternfield, Reyna's lawyer, said that Corcino was not an MSCS employee and not authorized to use an MSCS title. She added that Reyna was unaware that Stanford had sent the patient data to Corcino or that Corcino had passed on the information to a job applicant (New York Times, 10/5).