Stanford Breach Results in $20 Million Lawsuit
Stanford Hospital and Clinics says it will vigorously defend itself against a $20 million class action lawsuit filed after protected health information for approximately 20,000 patients was found on a public Web site.
The hospital in a recent statement says it "acted appropriately and did not violate the law as claimed in the lawsuit."
Stanford in September notified patients following discovery of the breach on August 22. Protected information was on a website where students for a fee receive help with homework, according to the San Jose Mercury News. The information was in a spreadsheet attached to a file and covered emergency room patients seen from March 1, 2009 to August 31, 2009.
The spreadsheet, from a subcontractor of Multi-Specialty Collection Services, a Los Angeles billing contractor, wound up being posted to the Web site Sept. 9, 2010, the hospital later learned. The spreadsheet was an attachment to a question about how to convert the data into a bar graph.
"As soon as this was brought to SHC's attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers," according to a Stanford statement in response to the lawsuit. "SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft. To date, there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with MSCS, and reported this breach to law enforcement authorities."
The lawsuit, seeking a $1,000 award for each affected patient, alleges violation of state law that requires providers to safeguard patient information and prohibits disclosure without written consent, the Mercury News reports.