PALO ALTO, CA – According to a statement from Stanford Hospitals & Clinics, the breach that exposed the medical records of 20,000 emergency patients “was not caused by the hospital and responsibility has been assumed by a contractor working with the vendor.”

The patient information was leaked through a subcontractor hired by Stanford’s billing contractor, Multi Specialties Collection Services, according to a statement released by Gary Migdol, director of communications, Stanford Hospital & Clinics. 

The patient records were posted on a website called “Student of Fortune” for almost a year before being discovered by a patient, the New York Times reported. The website contained information about patients seen in the ED between March 1 and Aug. 31, 2009. Once discovered on Aug. 22, 2011, the information was removed from the website within 24 hours, the statement said.

The hospital has launched a full investigation and, “is working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information.” And although Multi Specialties Collection Services is also conducting its own investigation, the statement noted that the hospital may take further action following its completion.

“The hospital is strongly committed to protecting our patients’ information and immediately suspended work with the vendor," according to the statement. "The hospital notified affected patients quickly and also arranged for free identity protection services, though the data involved is not associated with identity theft."