(AP) -- Stanford Hospital in California is blaming a subcontractor used by an outside vendor for a privacy breach that led to the posting online of medical information for thousands of emergency room patients.
The breach was first reported Friday by the New York Times ( http://nyti.ms/p84zWa ). The data of 20,000 patients, including names and diagnosis codes, remained on a commercial website for nearly a year until it was discovered last month and taken down, according to the newspaper.
In a statement, Stanford Hospital said the file that contained the patient information and was posted to the site was created by a subcontractor employed by one of its vendors, Multi Specialties Collection Services.
The hospital did not name the subcontractor, but it said Multi Specialties Collection Services is investigating how the company caused patient information to be posted to the website. Stanford said in the meantime, it has suspended working with Multi Specialties Collection Services.
"This incident was not caused by the hospital, and responsibility has been assumed by a contractor working with the vendor," the hospital said in its statement.
The information posted to the website also contained medical record numbers, hospital account numbers, emergency room admission and discharge dates and billing charges, according to the hospital. It did not contain credit card or Social Security numbers, information commonly associated with identity theft.
The affected patients were seen by the hospital's emergency department between March 1, 2009, and Aug. 31, 2009.
"The hospital notified affected patients quickly and also arranged for free identity protection services, though the data involved in not associated with identity theft," the statement reads.
The website where the file was posted allows students to pay for help with their school work, according to the New York Times.
Gary Migdol, a spokesman for the hospital, told the newspaper that he expected the federal Department of Health and Human Services to conduct its own investigation. Susan McAndrew, a deputy director in the department's Office for Civil Rights, said she could not discuss whether an investigation was in progress.
Explore further: DHS Employees Sue TSA over Lost Hard Drive