10.11.2011: Stanford University Hospital Security Breach Affects 20K Patients, Could Cost Hospital $20M

By Angela Atkinson Posted October 10, 2011 10:00 Comments 0 Comments


A spreadsheet containing health data on approximately 20,000 emergency department patients from Palo Alto, CA-based Stanford University Hospital was recently discovered posted on a website that was unrelated to the hospital.

The data, which included personal health information such as patient names, diagnosis codes, admission and discharge information and billed charges, had been posted on the website for about a year, according to a report from the New York Times.  

While this particular security breach won’t affect quite as many patients as the recently-reported Tricare breach will, it certainly highlights the fact that loss or misused of personal health information by healthcare employees or business associates seems to be a more significant security risk than hacking or malevolent attacks on electronic healthcare records systems.

 In fact, a recent report that analyzed government security breach data showed that only six percent of incidents that involved compromised health data security actually involved hacking.

In this case, the data was compromised by a Los Angeles-based billing contractor called Multi-Specialty Collection Services, which had obtained the spreadsheet from Stanford during the normal course of operation.

It was posted to a website called Student of Fortune, which was designed to help students hire people to help with their homework. It was posted on September 9, 2010 as an attachment to a forum question on how to construct a bar graph.

Stanford said it was unaware of the posting until it received a report from a patient who had found it on the site on August 22.

In response to the incident, Stanford suspended the billing contractor and launched an investigation. The organization is also offering free identity theft protection to any affected patients, although social security numbers and other identifying information were absent from the spreadsheet.

Multi-Specialty has taken full responsibility for the breach. The new HIPAA security rules, expected to be finalized over the next few months, will increase the security requirements for data shared with the business associates of healthcare providers—but as this incident proves, it’s not always easy to control business associates, despite what their contracts might say.

“We sincerely apologize for the concern this has caused our patients,” said Diane Meyer, Stanford’s Chief Privacy Officer, in a statement. “We value the privacy of patient health information and are committed to protecting it at all times. Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information.  We have worked extremely hard to identify all the parties responsible.  No Hospital staff member was involved in posting the file to the website.  We will continue to take aggressive action to hold all responsible parties accountable.”

A $20 Million Mistake?

As a result of the security breach, former Stanford patient Shana Springer, who was treated in the ER in 2009, is representing 20,000 patients in a complaint filed in the Los Angeles County Superior Court.

Springer is seeking damages worth $1,000 per patient, a total of about $20 million.

In a statement released October 3, Stanford responded to the class action lawsuit by saying that while it sincerely regretted that its patients’ confidentiality had been compromised by Multi-Specialty, it “intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.”

One Response to 10.11.2011: Stanford University Hospital Security Breach Affects 20K Patients, Could Cost Hospital $20M

  1. It is little doubt that this is the best singer in the world! What makes a singer isn’t their appearance, it’s their voice! I don’t like when people judge singers on things that just aren’t that important. Remember, they are entertainers, not actors! Let them do their thing and enjoy the music!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: