According to the New York Times, medical information for 20, 000 emergency room patients was posted online.
The paper says the data remained on a commercial website for almost a year until the Palo Alto hospital finally discovered the breach last month and took it down.
A hospital spokesperson says the data did not include information that could be used to perpetrate identity theft. It did not contain credit card or Social Security numbers.
In a statement, Stanford Hospital said the file that contained the patient information and was posted to the site was created by a subcontractor employed by one of its vendors, Multi Specialties Collection Services.
The hospital did not name the subcontractor, but it said Multi Specialties Collection Services is investigating how the company caused patient information to be posted to the website.
In the meantime, Stanford said it has suspended working with Multi Specialties Collection Services.
The affected patients were seen by the hospital's emergency department between March 1, 2009, and Aug. 31, 2009. The hospital said all affect patients were notified.
The Associated Press contributed to this report.