Stanford Hospital & Clinics (SHC) announced that it is making identity protection resources available to the 20,000 patients whose personal files were posted online for nearly one year on a student tutorial forum. The information was first posted last August.
The Hospital officially recognized the privacy breach in September and now faces a $20 million lawsuit as of last week.
SHC notified patients last month that a spreadsheet handled by Multi-Specialty Collection Services (MSCS), a third party billing contractor, was posted on Student of Fortune, a free homework help website. SHC made a professional call center and identity protection company called Debix available to patients for assistance.
Patient Shana Springer filed a class-action suit against SHC and the outside vendor, MSCS, a company providing business and financial support to the Hospital when she learned about this breach of patient privacy. This class-action suit is seeking $20 million in damages, or $1,000 for each of the 20,000 patients affected.
According to SHC director of communications Gary Migdol, SHC “immediately suspended all work with the vendor [MSCS] upon discovery of the breach and demanded that MSCS lock down all patient information.” The relationship between SHC and MSCS has since been terminated, Migdol said.
Though SHC has pointed any direct inquiries about the breach to MSCS, the company recently disabled its website and could not be reached for comment.
Investigators hired by SHC determined in their inquiry that Frank Corcino, executive vice president of MSCS and SHC’s primary contact with the contractor, originally requested the patient files containing names, diagnosis codes, account numbers and admission and discharge dates of approximately 20,000 patients who visited the Hospital’s emergency room in 2009. The hospital complied and sent Corcino the encrypted data in 2010.
SHC said in its Oct. 7 and 9 statements that “[the Hospital] sent encrypted patient information to MSCS for permissible business purposes . . . [and] MSCS was responsible by law and contract for protecting all patient information provided to it for its services.”
The hospital added that sending these encrypted files followed the regulations from the 1996 Health Insurance Portability and Accountability Act (HIPPA). In both the Oct. 7 and 9 statements, SHC said the “regrettable incident” was the result of MSCS’ breach of contract.
Corcino said in a statement to the New York Times that he decrypted the data after receiving it from Stanford. He then created a spreadsheet out of the patient files gave the information to an unidentified job applicant to MSCS as part of a skills test. The applicant, who allegedly was unaware that the spreadsheet data was private, posted the files to Student of Fortune. SHC later discovered these files on Aug. 22, 2011, and requested their removal. Student of Fortune responded promptly to this request.
“We take violations of our terms of use very seriously, including posting confidential materials,” wrote Gita Chandra, account director of Student of Fortune in an email to The Daily. “With respect to Stanford Hospital, we removed the file and deleted it from our records immediately after being notified of a violation.”
Although SOF removed these files by the next day, some patients expressed concern about whether this incident made them vulnerable to future identity theft.
SHC maintains that the leaked information has not been used to harm the patients.
“To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose,” SHC said last week in its Oct. 7 and 9 press releases.
In an interview with The Daily, Bradley I. Kramer, one of the lawyers representing the class-action suit, stated that he was not aware of any identity theft incidents resulting from the posted information. As the SHC investigation continues, Kramer states that his firm plans on conducting its own investigation if the suit goes to trial.
Ivy Nguyen contributed to this report.