EDMONDS – Stevens Hospital is notifying more than 500 former patients that their names and Social Security numbers were potentially accessible over the Internet for more than a month.
The problem was caused by a lapse in security by a firm whose services allow patients to pay their bills online, Mike Carter, the hospital’s chief executive, said Monday.
Stevens has sent out letters to 556 people whose information was vulnerable. In addition, the hospital has set up a hotline for people to call for more information and has posted information about the problem on its Web site.
“We regret the fact that it happened,” Carter said. “Our patients’ privacy and well-being are the two most important things to us.
“From the minute we learned about this, we did everything we could to understand the scope of the problem, make sure that the information (on the Internet) had been removed and to come forward with the information to make sure everyone knew that it happened,” he said.
The public hospital learned of the problem on May 23, Carter said. A day earlier, a relative of a hospital physician was doing a Google search for information about someone who had recently died.
The search turned up a financial database of former Stevens patients, including individual names, Social Security numbers and addresses, Carter said.
No medical records and no credit card information were included in the online information, Carter said.
Carter said the hospital began work to understand what had gone wrong and “as quickly as we could, get that information off the Internet.”
The problem occurred in mid-April at Verus Inc., a Bellevue-based company, he said. It was caused when the company turned off a firewall, or security device, for maintenance on its server, Carter said.
Officials at Verus could not be reached for comment.
Verus offers an online service to allow patients to pay their hospital bills electronically. The hospital paid the company $1,800 per month, said Jack Kirkman, a hospital vice president.
Overall, the company had information on 21,000 patient accounts, but only a portion of those, records on 556 patients, were available online, Carter said.
The security lapse allowed the information to be accessible for more than a month, the hospital administrator said. However, hospital officials have no proof that anyone came across the information until they were told of the problem on May 23, Carter said.
Although companies involved in the problem, including Verus, and Goggle, have cooperated in getting the information off the Internet, the hospital filed a temporarily restraining order in King County Superior Court requiring them to remove the information, Carter said.
For patient protection, the court action was sealed until Monday, he said.
So far, hospital officials have only been told of nine tracked hits of the Stevens patient information on the Verus Web site, Carter said.
“What we can’t say for sure is how many people looked at the Google file,” Carter said. “What they’ve told us is it would take literally millions of dollars to tell that with certainty.”
The hospital is hopeful that no one wishing to use the information illegally, such as for identify theft, got access to the information before it was taken offline, Carter said.
Ultimately former patients will “have to tell us if their identify has been compromised,” he said. “If so, we’ll help them.”
The hospital decided last week to send a letter to patients notifying them of the problem. It was mailed on Friday.
Affected patients are being advised to watch their bills and put fraud alerts on credit information, Carter said.
Former patients could receive calls from people who falsely identify themselves as being from Stevens Hospital, offering their assistance and asking for personal information, the hospital’s letter warned.
Stevens Hospital only asks for personal information in person when patients are at the hospital, the letter said.
Reporter Sharon Salyer: 425-339-3486 or email@example.com.
Stevens Hospital has sent letters to patients whose names and Social Security numbers were accessible online. The problem is thought to have been caused by a security lapse at a company whose services allow patients to pay their bills online.
Information is posted on the hospitals Web site, www.stevenshealthcare.org. The hospital has also set up a hotline, 425-673-3745, to answer questions on the issue.