Stanford Hospital leaks 20,000 patient records
Over 20,000 records of patients who visited the emergency room at Stanford Hospital in 2009 were posted on the internet for over a year it was disclosed today.
The leaked information included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges according to the New York Times.
The information was posted to the website Student of Fortune, a site where students can pay for tutorials on how to complete their homework.
A spreadsheet with the sensitive information was attached to a question posted to the site asking if someone could explain how to convert the information into a bar graph.
Multi-Specialty Collection Services, a billing contractor for the hospital, is likely the source of the leak.
The question I have is, why was the data not protected (encrypted) and who would think it is a good idea to post this kind of information to a public forum?
I see two problems at work in these types of incidents…
Simply inserting some clauses in their contracts to require these third parties to meet these regulations will ensure the data will be protected, right?
Second the laws and our attitudes toward data protection are simply outdated. If you think you should treat data differently when it is inside than when it is outside you are doing it wrong…
Repeat after me… There is no inside. Has your organization ever had a malware infection? Then you don’t have an inside. Unfortunately, this case proves that information *does* just want to be free.
Eventually I will write up my thoughts on firewall policies and you will see how enraged I get when someone says “We aren’t at risk from that worm, our firewalls block incoming connections.”
Rather than track down the person who made the mistake, imposing multi-million dollar fines and saying it won’t happen to us, let us learn from their mistakes.
Classify your data based upon its importance. Now, based on that classification take the appropriate actions to control and protect that data. Please?
Source :- http://nakedsecurity.sophos.com
- Stanford Hospital leaks 20,000 patient records (nakedsecurity.sophos.com)
- Stanford Hospital Suffers Comically Stupid Patient Data Leak [Privacy] (gawker.com)
- Patient Data Posted Online in Major Breach of Privacy (teamshatter.com)
- Security Breach at Stanford Hospital – Patient Found it – Not the Fault of the Medical Records System but Rather a Careless 3rd Party Analytics/Billing Company (ducknetweb.blogspot.com)
- So Much for Doctor/Patient Confidentiality – 20,000 Patient Records (fellowshipofminds.wordpress.com)
- Stanford Hospitals and Clinics No Longer Accepting Blue Cross Health Insurance – Contract Expire-Patients Have to Go Elsewhere While the Cost Algorithms Churn With Contract Negotiations (ducknetweb.blogspot.com)