Stanford Hospital in California has confirmed that a privacy breach led to medical information for thousands of emergency room patients to be posted online, according to the New York Times.

The data for 20,000 patients, including names and diagnosis codes, remained on a commercial website for nearly a year until the breach was discovered last month, the newspaper reported on its website Friday.

The Palo Alto hospital has been investigating how the material made its way from one of its vendors to a website that allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, told the paper that the data first appeared on the site on Sept. 9, 2010, as an attachment.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, the Times reports that experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.

The material also included admission and discharge dates and billing charges for patients seen at Stanford Hospital's emergency room during a six-month period in 2009, Migdol said. It did not include Social Security and credit-card numbers or other information used to perpetrate identity theft, he said.

"It is clearly disturbing when this information gets public," he said. "It is our intent 100 percent of the time to keep this information confidential and private, and we work hard everyday to ensure that."

Migdol said Stanford had concluded that "there is no employee from Stanford Hospital who has done anything impermissible."

He said he expected the federal Department of Health and Human Services to conduct its own investigation. Susan McAndrew, a deputy director in the department's Office for Civil Rights, told the newspaper that she could not discuss whether an investigation was in progress.