Last week, a woman who was a patient at Stanford Hospital & Clinics filed a $20 million class-action lawsuit against the facility on behalf of about 20,000 other Stanford Hospital patients whose medical information was publicly posted on a commercial website for about one year, the San Jose Mercury News reports.
Shana Springer filed the complaint in Los Angeles County Superior Court on behalf of herself and other patients treated at the hospital between March 1, 2009, and Aug. 31, 2009 (Green, San Jose Mercury News, 10/4).
The medical information breach involved the exposure of a detailed spreadsheet containing unencrypted data on Stanford Hospital's emergency department patients during the six-month period.
The spreadsheet included such data as:
No Social Security numbers or credit card information were included (San Jose Mercury News, 10/4).
Although the spreadsheet had been in the possession of a Los Angeles-based billing contractor called Multi-Specialty Collection Services, the document was discovered on a commercial website that allows students to seek paid help with their schoolwork.
The spreadsheet first appeared on the site in September 2010. A patient found the spreadsheet nearly a year after it first appeared on the site and reported it to the hospital on Aug. 22 (California Healthline, 9/9).
The class-action complaint claims that the hospital violated the state Confidentiality of Medical Information Act. The law requires health care providers to safeguard patient data and prohibits disclosure unless a patient provides written consent.
The complaint also alleges that Multi-Specialty Collection Services partially was responsible for the disclosure of patients' data.
The lawsuit seeks $1,000 per patient and other damages, penalties and legal fees (San Jose Mercury News, 10/4).
Response to Lawsuit
In a statement, Stanford Hospital said it will "vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit."
The hospital noted that there has been no evidence that the information available online has been used improperly (Palo Alto Weekly, 10/3).
Stanford Hospital said that Multi-Specialty Collection Services mishandled the data. The hospital has since ended its business relationship with the subcontractor (San Jose Mercury News, 10/4).
A spokesperson for Multi-Specialty Collection Services said the company would not comment on the lawsuit or Stanford Hospital's response because of an ongoing investigation (Palo Alto Weekly, 10/3).