Lapse in Business Associate Security Causes 20K Patient HIPAA Breach
According a New York Times report published this week, the medical records of 20,000 patients of Stanford University Hospital in Palo Alto, Calif., have been posted online and accessible to the public for close to a year after an error was made by one of the hospital’s business associates.
The hospital and its contractor – Multi-Specialty Collection Services of Los Angeles (MSCS) – confirmed that a spreadsheet containing the medical data of 20,000 patients had been accidentally sent to a job prospect who in turn posted the data on a tutoring website as part of a job skills test. The data was posted on Dec. 9, 2010 and remained accessible until a patient discovered it and brought it to the attention of the hospital on Aug. 22, 2011.
MSCS explained how the incident occurred in an email sent to affected patients, according to the NYT report. MSCS President, Anthony Reyna, told the patient that a marketing vendor had been sent patient health information directly from Stanford Hospital. After converting the data to a different format it was inadvertently given to a job applicant to use as part of a skills test; which involved converting the data into graphs and charts. The applicant posted the data on a website called studentoffortune.com and solicited help with the assignment.
Not having received offers of assistance with the work, the applicant completed the task on her own, although she did not get the short time position for which she applied and she forgot to delete the post. The data remained on the website until it was discovered nearly a year later. The student had no reason to believe that the data was real, and Anthony Reyna confirmed that the exposure resulted from the actions of his vendor, Frank Corcino.
Get The Checklist
Free and Immediate Download
HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
The data contained in the spreadsheet included names, dates of admission, diagnostic codes, billing codes and charges, but no social security numbers were included in the data. As soon as the data breach was discovered the BA was advised to immediately remove the spreadsheet. The data has now been removed although it is not known how many people accessed the data during the time it was online.
HIPAA violations are investigated by the Office for Civil Rights of the Department of Health and Human Services and civil and even criminal penalties can be brought against organizations that fail to implement the necessary controls to protect the medical records of patients.
Lawyers have already filed class action lawsuits against Stanford Hospital & Clinics and Multi-Specialty Collection Services, with $20 million damages being claimed for a lack of safeguards being implemented to protect patient data. The hospital has terminated the contract with its business associate, which in turn has terminated its association with Mr. Corcino. Assistant Vice President of Stanford University, Lisa Lapin, distanced the hospital from its associate and said “MSCS bears the complete and sole responsibility for the breach.”
While it does not take responsibility for the HIPAA breach itself, the hospital is taking action to mitigate any damage caused and has already notified all patients concerned and offered them free credit monitoring and identity theft services. The hospital also confirmed that no credit card details, dates of birth or Social Security numbers had been exposed in the breach.
This HIPAA breach shows how a string of simple errors can result in the exposure of thousands of protected health records. Healthcare organizations must ensure that business associates are aware of the regulations laid down by HIPAA to protect the privacy of patients, and ensure the necessary controls are implemented to keep electronic health records of patients protected.