For nearly a year, the medical records of more than 20,000 emergency room patients who were treated at Stanford Hospital in Palo Alto, Calif., were broadcast publicly on a commercial website, according to a report in the New York Times.
Patient data, including names, diagnosis codes and billing charges, for the thousands of people who were admitted to the Stanford hospital over a six-month period in 2009, were posted in a spreadsheet on the website Student of Fortune, the Times’ Kevin Sack reports. The site, which offers students homework assistance for a fee, used the spreadsheet to demonstrate how to convert data into bar graphs.
The patient data was first posted on Student of Fortune on Sept. 9, 2010; the privacy breach was discovered and reported to the hospital on Aug. 22, according to the Times. The information was taken down from the website the following day.
Apparently, the spreadsheet somehow got from one of the hospital’s vendors, a billing contractor called Multi-Specialty Collection Services, to the student website — and remained public for nearly a year.
MORE: Why Medical Records Should Include Patients’ Sexual Orientation
“It is clearly disturbing when this information gets public,” Gary Migdol, a spokesman for Stanford Hospital and Clinics, told Sack. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”
Medical data breaches are no rarity, though. Department of Health and Human Services records show that personal medical data for more than 11 million people has been compromised in the past two years. The Times’ Sack reports:
Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.
This is the kind of data breach that Rep. Mary Bono Mack (R-Calif.) and her collaborators are currently working to prevent, by introducing new federal legislation. Likewise, Sen. Richard Blumenthal (D-Conn.) recently introduced the Personal Data Protection and Breach Accountability Act, which aims to strengthen security for businesses that handle sensitive information for more than 10,000 customers or clients, according to the blog The Hill.
MORE: Why More Data Doesn’t Mean Better Care
As for figuring out what happened with the Stanford data breach, investigators have their work cut out for them. Migdol said that no Stanford Hospital employee had acted improperly. The Times was not able to reach anyone from Multi-Specialty Collection Services to comment. And the vice president of Chegg, the company that bought Student of Fortune in August, told the Times that it wasn’t possible to identify the person who first posted the patient data by the username.
Meredith Melnick is a reporter at TIME. Find her on Twitter at @MeredithCM. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.