Stevens patients’ data put online

EDMONDS – Stevens Hospital is notifying more than 500 former patients that their names and Social Security numbers were potentially accessible over the Internet for more than a month.

The problem was caused by a lapse in security by a firm whose services allow patients to pay their bills online, Mike Carter, the hospital’s chief executive, said Monday.

Stevens has sent out letters to 556 people whose information was vulnerable. In addition, the hospital has set up a hotline for people to call for more information and has posted information about the problem on its Web site.

“We regret the fact that it happened,” Carter said. “Our patients’ privacy and well-being are the two most important things to us.

“From the minute we learned about this, we did everything we could to understand the scope of the problem, make sure that the information (on the Internet) had been removed and to come forward with the information to make sure everyone knew that it happened,” he said.

The public hospital learned of the problem on May 23, Carter said. A day earlier, a relative of a hospital physician was doing a Google search for information about someone who had recently died.

The search turned up a financial database of former Stevens patients, including individual names, Social Security numbers and addresses, Carter said.

No medical records and no credit card information were included in the online information, Carter said.

Carter said the hospital began work to understand what had gone wrong and “as quickly as we could, get that information off the Internet.”

The problem occurred in mid-April at Verus Inc., a Bellevue-based company, he said. It was caused when the company turned off a firewall, or security device, for maintenance on its server, Carter said.

Officials at Verus could not be reached for comment.

Verus offers an online service to allow patients to pay their hospital bills electronically. The hospital paid the company $1,800 per month, said Jack Kirkman, a hospital vice president.

Overall, the company had information on 21,000 patient accounts, but only a portion of those, records on 556 patients, were available online, Carter said.

The security lapse allowed the information to be accessible for more than a month, the hospital administrator said. However, hospital officials have no proof that anyone came across the information until they were told of the problem on May 23, Carter said.

Although companies involved in the problem, including Verus, and Goggle, have cooperated in getting the information off the Internet, the hospital filed a temporarily restraining order in King County Superior Court requiring them to remove the information, Carter said.

For patient protection, the court action was sealed until Monday, he said.

So far, hospital officials have only been told of nine tracked hits of the Stevens patient information on the Verus Web site, Carter said.

“What we can’t say for sure is how many people looked at the Google file,” Carter said. “What they’ve told us is it would take literally millions of dollars to tell that with certainty.”

The hospital is hopeful that no one wishing to use the information illegally, such as for identify theft, got access to the information before it was taken offline, Carter said.

Ultimately former patients will “have to tell us if their identify has been compromised,” he said. “If so, we’ll help them.”

The hospital decided last week to send a letter to patients notifying them of the problem. It was mailed on Friday.

Affected patients are being advised to watch their bills and put fraud alerts on credit information, Carter said.

Former patients could receive calls from people who falsely identify themselves as being from Stevens Hospital, offering their assistance and asking for personal information, the hospital’s letter warned.

Stevens Hospital only asks for personal information in person when patients are at the hospital, the letter said.

Reporter Sharon Salyer: 425-339-3486 or

Security lapse

Stevens Hospital has sent letters to patients whose names and Social Security numbers were accessible online. The problem is thought to have been caused by a security lapse at a company whose services allow patients to pay their bills online.

Information is posted on the hospitals Web site, The hospital has also set up a hotline, 425-673-3745, to answer questions on the issue.

Talk to us

More in Local News

This photo provided by OceanGate Expeditions shows a submersible vessel named Titan used to visit the wreckage site of the Titanic. In a race against the clock on the high seas, an expanding international armada of ships and airplanes searched Tuesday, June 20, 2023, for the submersible that vanished in the North Atlantic while taking five people down to the wreck of the Titanic. (OceanGate Expeditions via AP)
A new movie based on OceanGate’s Titan submersible tragedy is in the works: ‘Salvaged’

MindRiot announced the film, a fictional project titled “Salvaged,” on Friday.

Craig Hess (Snohomish County Sheriff’s Office)
Sultan’s new police chief has 22 years in law enforcement

Craig Hess was sworn in Sep. 14. The Long Island-born cop was a first-responder on 9/11. He also served as Gold Bar police chief.

Cars move across Edgewater Bridge toward Everett on Tuesday, Sept. 26, 2023, in Washington. (Olivia Vanni / The Herald)
Edgewater Bridge redo linking Everett, Mukilteo delayed until mid-2024

The project, now with an estimated cost of $27 million, will detour West Mukilteo Boulevard foot and car traffic for a year.

Lynn Deeken, the Dean of Arts, Learning Resources & Pathways at EvCC, addresses a large gathering during the ribbon cutting ceremony of the new Cascade Learning Center on Thursday, Sept. 28, 2023, at Everett Community College in Everett, Washington. (Ryan Berry / The Herald)
New EvCC learning resource center opens to students, public

Planners of the Everett Community College building hope it will encourage students to use on-campus tutoring resources.

Everett Police Chief Dan Templeman announces his retirement after 31 years of service at the Everett City Council meeting on Wednesday, Sept. 27, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Everett police chief to retire at the end of October

Chief Dan Templeman announced his retirement at Wednesday’s City Council meeting. He has been chief for nine years.

Boeing employees watch the KC-46 Pegasus delivery event  from the air stairs at Boeing on Thursday, Jan. 24, 2019 in Everett, Wa. (Andy Bronson / The Herald)
Boeing’s iconic Everett factory tour to resume in October

After a three-year hiatus, tours of the Boeing Company’s enormous jet assembly plant are back at Paine Field.

A memorial for a 15-year-old shot and killed last week is set up at a bus stop along Harrison Road on Wednesday, Sept. 13, 2023, in Everett, Washington. (Ryan Berry / The Herald)
Teen boy identified in fatal shooting at Everett bus stop

Bryan Tamayo-Franco, 15, was shot at a Hardeson Road bus stop earlier this month. Police arrested two suspects.

A memorial for a 15-year-old shot and killed last week is set up at a bus stop along Harrison Road on Wednesday, Sept. 13, 2023, in Everett, Washington. (Ryan Berry / The Herald)
Rival gang members charged with killing Everett boy, 15, at bus stop

The two suspects are accused of premeditated first-degree murder in the death of Bryan Tamayo-Franco, 15.

Logo for news use featuring the municipality of Snohomish in Snohomish County, Washington. 220118
Witnesses contradict gunman’s account of killing Monroe prison officer

Dylan Picard, 22, was driving on South Machias Road when Dan Spaeth approached his car to slow it down to avoid hitting a deer.

Most Read