The data, which included personal health information such as patient names, diagnosis codes, admission and discharge information and billed charges, had been posted on the website for about a year, according to a report from the New York Times.
While this particular security breach won’t affect quite as many patients as the recently-reported Tricare breach will, it certainly highlights the fact that loss or misused of personal health information by healthcare employees or business associates seems to be a more significant security risk than hacking or malevolent attacks on electronic healthcare records systems.
In this case, the data was compromised by a Los Angeles-based billing contractor called Multi-Specialty Collection Services, which had obtained the spreadsheet from Stanford during the normal course of operation.
It was posted to a website called Student of Fortune, which was designed to help students hire people to help with their homework. It was posted on September 9, 2010 as an attachment to a forum question on how to construct a bar graph.
Stanford said it was unaware of the posting until it received a report from a patient who had found it on the site on August 22.
In response to the incident, Stanford suspended the billing contractor and launched an investigation. The organization is also offering free identity theft protection to any affected patients, although social security numbers and other identifying information were absent from the spreadsheet.
Multi-Specialty has taken full responsibility for the breach. The new HIPAA security rules, expected to be finalized over the next few months, will increase the security requirements for data shared with the business associates of healthcare providers—but as this incident proves, it’s not always easy to control business associates, despite what their contracts might say.
“We sincerely apologize for the concern this has caused our patients,” said Diane Meyer, Stanford’s Chief Privacy Officer, in a statement. “We value the privacy of patient health information and are committed to protecting it at all times. Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information. We have worked extremely hard to identify all the parties responsible. No Hospital staff member was involved in posting the file to the website. We will continue to take aggressive action to hold all responsible parties accountable.”
A $20 Million Mistake?
As a result of the security breach, former Stanford patient Shana Springer, who was treated in the ER in 2009, is representing 20,000 patients in a complaint filed in the Los Angeles County Superior Court.
Springer is seeking damages worth $1,000 per patient, a total of about $20 million.
In a statement released October 3, Stanford responded to the class action lawsuit by saying that while it sincerely regretted that its patients’ confidentiality had been compromised by Multi-Specialty, it “intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.”