Data Breach Affects 20,000 Patients, Prompts $20M Lawsuit
As a reminder of the perils surrounding protected health information (PHI), Stanford Hospital & Clinics is facing a very expensive lawsuit for a data breach affecting approximately 20,000 patients.
A spreadsheet containing the protected information of patients seen in the emergency room from March through August 2009 was posted as an attachment to Student of Fortune, a website for students seeking help with homework, as part of a question about how to convert the data into a bar graph. The spreadsheet contained names, diagnosis codes, account numbers, and admission and discharge dates. The data did not include social security or credit card numbers. The spreadsheet was posted Sept. 9, 2010 and remained on the site until Aug. 22, 2011, when it was discovered by a patient.
According to Stanford, a third-party billing contractor, Multi Specialties Collection Services (MSCS), gave the spreadsheet to a job applicant as part of a skills test. Unaware that the spreadsheet data was actual, private data, the applicant posted the information to the website.
One of the affected patients, Shana Springer, filed a class-action lawsuit on Sept. 28 in Los Angeles Superior Court, alleging violation of state law that requires providers to safeguard patient information and prohibits disclosure without written consent. The suit seeks to recover from Stanford $1,000 per compromised record, or $20 million total.
In response, Stanford issued a statement noting that the hospital successfully demanded that the spreadsheet be taken down from the website and backup servers as soon as the issue was brought to its attention. Additionally, “SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft. To date, there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose.”
Stanford has laid responsibility for the breach with MSCS, and has terminated its relationship with the billing company. According to the hospital’s statement, “This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract with SHC and is shockingly irresponsible.” Stanford maintains that it had acted in accordance with all requirements to protect patient confidentiality, and says it will “vigorously defend” against the class-action complaint.
To date, federal authorities have not responded publicly to the data breach, although the breach was potentially in violation of federal laws meant to secure patients PHI.
Stanford’s experience highlights the importance not only of strict internal compliance to guidelines and precautions for protecting PHI, but also careful vetting of business partners, including third-party billing companies, auditors, etc.