Patient information left open online at Oregon hospital

August 15, 2007

Associated Press

Information such as Social Security numbers about patients at Sky Lakes Medical Center was available online for about a month when the hospital's security was down.

But hospital officials say they found no unauthorized access after scanning thousands of records.

"The door was open. Nobody came through it," said Tom Hottman, spokesman for the hospital, formerly known as Merle West.

Hottman said the company that maintained the hospital's online bill payment system, Verus Inc., transferred patient information from one server to another to perform maintenance but didn't take security measures, leaving information such as names, addresses and Social Security numbers exposed.

When a patient at another hospital was able to access his records while searching the Internet, the problem was uncovered, Hottman said.

The hospital shut down the online bill payment system in late May, sent letters to about 30,000 patients and canceled its contract with Verus, he said.

Sky Lakes plans to reinstitute an online payment service, but not until it identifies security and procedures to ensure patient information isn't exposed again, Hottman said.

main page ATTRITION feedback