The hospital said Thursday the breach included names and diagnosis codes, and had been on a commercial Web site for nearly a year, The New York Times reported. It was discovered by a patient on Sept. 9, 2010, as an attachment to a question on how to convert the data to a bar graph.
The Web site removed the data the next day.
The newspaper said a detailed spreadsheet somehow made its way from one of the hospital's vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called "Student of Fortune." The site allows students to solicit paid assistance with their school work.
The hospital has been conducting an investigation since the breach was discovered last month.
The Times said the spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates and billing charges for patients seen at Stanford Hospital's emergency room during six months in 2009.
Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the data did not include Social Security numbers, birth dates, credit-card accounts or other information used in identity theft, but the hospital is offering free identity protection services to affected patients.
Since the enactment of the federal stimulus package, which among other things requires prompt public reporting of data privacy breaches, the U.S. government has received notice of 306 incidents affecting at least 500 people each from September 2009 to June 2011 , the Times reported.
Four of the breaches each involved more than 1 million people. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, in total affecting more than 72,000 people, the Times said.
The major breaches took place in 44 states.