I don't have all the details, but it looks like an employee at one of the hospital's vendors did something really stupid:
A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.
Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
One can easily see how this happened: someone on the billing contractor's staff was taking a class of some kind and decided to use real, live, HIPAA-protected data for a project. My law-school Wills instructor, Jerry Leitner, would explain this by the "omnibus explanation," the thing that explains nearly every human endeavor that ends badly: stupidity.
The article mentions Stanford got fined $250,000 from the breach. I wonder if they'll be able to get a contribution award from the contractor?