Administrators at Stevens Hospital don’t care how the social security numbers, names and addresses of approximately 550 patients ended up on the Internet last month.
“Protecting the privacy of our patients is our only concern right now,” Stevens Chief Executive Officer Mike Carter said Monday, June 4.
Carter was alerted to the problem in a May 22 e-mail from a woman who accessed the patient records by way of a Google search.
A review of the complaint led to Emdeon, a leading business management firm for hospitals nationwide, and Verus Inc., a Bellevue-based company that was subcontracted by Emdeon to provide Stevens’ online bill paying services.
“The people at Verus were very up-front with us that one of their computer servers had been unsecured, allowing our patient information to be accessed on the Internet,” Carter said. “Then it was a matter of considering our options — what is the first thing we have to do to get this taken care of.”
On May 23, Stevens filed a temporary restraining order in King County Superior Court against Emdeon, Verus, Google and Yahoo, forcing the companies to shut down their servers and block any patient information that may have been snatched by search engine crawlers.
Attorneys for Stevens asked that the action be sealed for 10 business days to give the hospital time to contact former patients and remove their private information from the Internet.
“We didn’t think it would be very responsible to notify the general public of this until we knew access to our patients’ records had been blocked,” Carter said.
It doesn’t appear that anyone outside the hospital accessed the information.
All hits on Verus’ Web site have been accounted for, but determining the exact number of hits on the Google site was cost prohibitive.
“It would have cost millions of dollars in resources,” Carter said. “The folks at Google really tried to get us comfortable with the idea that the information wouldn’t have popped up in response to most searches. We just won’t know on that piece.”
The hospital has established a telephone hotline and Web site for patients who may have been affected by the security breach.
Patients are being asked to track their credit card and bank account activity closely and report any suspicious activity.
“We regret that this has happened and want to assure our patients and the communities we serve that privacy is among our top priorities,” Carter said. “At this point, I can’t say with any certainty what relationship if any we will maintain with the vendors involved.”
Carter imagines the hospitals legal fees alone will reach well into the six figures.
“We will be looking to our vendors to help with these costs,” he said. “At some point the explanation that, ‘Oh, this was just basic human error — just one of those things doesn’t cut it.”
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.
