St. Vincent Hospital said about 51,000 patients' personal informationnames, addresses and Social Security numberswas inadvertently made available on the Internet in the spring because of a security lapse by a subcontractor.
"We have no confirmation that any patient's personal information was accessed, retrieved or compromised in any way," St. Vincent spokesman Johnny Smith said. The Indianapolis-based hospital also said no confidential medical information was made available.
The 740-bed hospital said all of the patients have been notified by a letter mailed last week, and St. Vincent is providing those affected with free credit-monitoring service for one year as well as a free credit report.
The security lapse happened when a technician from Verus, Bellevue, Wash., a subcontractor that was developing a medical-billing site for St. Vincent, made a change to an Internet server, making the patient data from a test Web site publicly available through Internet searches for what a hospital spokesman said was a brief period of time. He did not specify how long it was available.
Once the error was discovered, the patient data were removed from the Internet. St. Vincent said it was notified of the lapse this summer.
"We have terminated our relationship with Verus," Smith said.
Read more (registration may be required).