Lawsuit Filed Against Stanford Following Patient Data Breach

EVENTS

MAY

West Coast Summit on Using Health Data To Boost Care

San Francisco

MAY

Webinar on Effects of Reform on Health Systems

Online

MAY

Meeting of Calif. Mental Health Oversight Panel

Sacramento

View All Events

FROM THE FOUNDATION

End-of-Life Choices

Trends in end-of-life care show that not only does the care given vary widely from region to region and hospital to hospital, but also patients often don't get the care they prefer. What can be done?

Care Management Puzzle

Chronic diseases and the cost of care are rising. Are disease management programs improving outcomes for patients with complex, chronic conditions?

No Middleman

Under the "direct primary care" model, patients pay a monthly fee for basic medical services. Learn about the history and current landscape of physician practices offering this arrangement.

Tuesday, October 04, 2011

Lawsuit Filed Against Stanford Following Patient Data Breach

Last week, a woman who was a patient at Stanford Hospital & Clinics filed a $20 million class-action lawsuit against the facility on behalf of about 20,000 other Stanford Hospital patients whose medical information was publicly posted on a commercial website for about one year, the San Jose Mercury News reports.

Shana Springer filed the complaint in Los Angeles County Superior Court on behalf of herself and other patients treated at the hospital between March 1, 2009, and Aug. 31, 2009 (Green, San Jose Mercury News, 10/4).

Background

The medical information breach involved the exposure of a detailed spreadsheet containing unencrypted data on Stanford Hospital's emergency department patients during the six-month period.

The spreadsheet included such data as:

Names;
Diagnosis codes;
Admission and discharge dates; and
Billing charges (California Healthline, 9/9).

No Social Security numbers or credit card information were included (San Jose Mercury News, 10/4).

Although the spreadsheet had been in the possession of a Los Angeles-based billing contractor called Multi-Specialty Collection Services, the document was discovered on a commercial website that allows students to seek paid help with their schoolwork.

The spreadsheet first appeared on the site in September 2010. A patient found the spreadsheet nearly a year after it first appeared on the site and reported it to the hospital on Aug. 22 (California Healthline, 9/9).

Lawsuit Details

The class-action complaint claims that the hospital violated the state Confidentiality of Medical Information Act. The law requires health care providers to safeguard patient data and prohibits disclosure unless a patient provides written consent.

The complaint also alleges that Multi-Specialty Collection Services partially was responsible for the disclosure of patients' data.

The lawsuit seeks $1,000 per patient and other damages, penalties and legal fees (San Jose Mercury News, 10/4).

Response to Lawsuit

In a statement, Stanford Hospital said it will "vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit."

The hospital noted that there has been no evidence that the information available online has been used improperly (Palo Alto Weekly, 10/3).

Stanford Hospital said that Multi-Specialty Collection Services mishandled the data. The hospital has since ended its business relationship with the subcontractor (San Jose Mercury News, 10/4).

A spokesperson for Multi-Specialty Collection Services said the company would not comment on the lawsuit or Stanford Hospital's response because of an ongoing investigation (Palo Alto Weekly, 10/3).