$4.1M Settlement for 2010 Stanford University Hospital HIPAA Breach

According to a recent report in the San Jose Mercury News, Stanford Hospital & Clinics and one of its former contractors – Multi-Specialty Collection Services LLC – have agreed to pay a settlement of $4.125 million for a large scale data breach that occurred in 2010. The breach exposed the PHI of 20,000 of its emergency room patients who had used the emergency room between March and August, 2009.

The data was viewable to unauthorized individuals after being made available via a third-party student homework website with the data potentially accessible for almost 12 months. While no credit card details or Social Security numbers were included in the data, personal identifiers were present and the information included diagnoses, treatments prescribed, billing charges, hospital account numbers and admission/discharge dates. One man from Santa Clara also had his psychiatric diagnosis included in the data that was available through the website. There was no indication that the information was viewed, accessed or used for illegal purposes, although the possibility existed and the data could have been copied without the knowledge of the Hospital or its business associates.

The incident prompted a class action lawsuit as the breach violated California’s Confidentiality of Medical Information Act (CMIA), which prohibits the disclosure of PHI without first obtaining consent from the patients. The lawsuit was filed by Shana Springer and her attorney was pursuing $20 million in damages; $100 for each patient.

The data breach did not occur due to the actions of Stanford University staff, which fulfilled its obligations to keep the patent data secure. When the PHI data was sent to its business associate it was encrypted; however the breach occurred when the business associate forwarded the data on to a third party subcontractor. The data was supplied in an unencrypted spreadsheet for the purposes of making a graph, and the data was then subsequently placed on the “Student of Fortune” website.

Stanford University was quick to point out that it was without blame; instead it was its business associate that violated privacy laws. The university laid blame on Multi-Specialty Collection Services for failing to encrypt the data before sending it on to Corcino & Associates to prepare the graphics.

The Hospital ensured that the data was removed as soon as the security breach came to light, and has since contacted all persons affected by the breach and has offered credit monitoring services to mitigate any damage caused.

An investigation by federal agencies exonerated the University, which was found to have played no part in the data breach. However, Stanford University has agreed to cover some of the cost – $500,000 – to ensure that all its business associates and staff are made aware of the rules and regulations covering PHI to prevent future breaches. An additional quarter of a million dollars will also be paid to cover administrative costs. Stanford University agreed to pay part of the settlement to prevent any further costs from being incurred due to the lawsuit.

$3.3 million of the settlement will be covered by both Multi-Specialty Collection Services and Corcino & Associates, although the exact details have yet to be finalized. The lawsuit is expected to be resolved in the next few weeks and payments to all plaintiffs will be made automatically. Each patient affected is expected to receive approximately $100 each.

The object of the lawsuit was not to obtain a large settlement for the victims, but to ensure that the privacy of patients was properly protected in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.