News


Class-action lawsuit filed against Stanford

Information from 20,000 patients was posted on a teaching website in August

A class-action lawsuit for $20 million has been filed against Stanford Hospital & Clinics over a patient-information breach, the hospitals announced Monday (Oct. 3).

Shana Springer, a woman whose information ended up on a website after an oversight by a subcontractor, filed a class-action suit on Sept. 28 in Los Angeles County Superior Court.

Springer sought treatment at Stanford's emergency room around Aug. 31, 2009 and provided her personal information and hospital account number, according to the lawsuit.

The suit alleges the information posted on the website included her name, medical record and hospital account numbers, admission/discharge dates, diagnoses codes and billing charges.

It asks for $1,000 per class member of the suit. The hospitals acknowledged on Sept. 8 that a data breach involving 20,000 patients' records had occurred. The patients were seen in the emergency room between March and August of 2009.

The patients' information was posted on a public website for nearly a year before being removed Aug. 22. Social Security numbers or credit card information was not among the data, hospital officials said.

A subcontractor of an outside vendor, Multi-Specialty Collection Service, created the compromised data file, Stanford said. It has also been named in the suit. The data was posted on the Student of Fortune website, according to the New York Times. The site provides homework help and the data was used to show how to create a bar graph.

Stanford said in a statement it has heard of the class-action lawsuit but did not provide details regarding the lawsuit.

"Stanford Hospital & Clinics (SHC) intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.

"SHC takes very seriously its obligation to treat its patient information as private and confidential. As soon as this was brought to SHC's attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers.

"SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft.

"To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with Multi-Specialty Collection Services, and reported this breach to law-enforcement authorities," the hospital said in the statement.

Stanford officials said Multi-Specialty Collection Services, a California company, provided business and financial support to the hospitals. Multi-Specialty was operating under a contract that specifically required it to protect the privacy of the patient information. The hospital sent the data to Multi-Specialty in an encrypted format to protect its confidentiality.

A hospital investigation found that Multi-Specialty prepared an electronic spreadsheet from the data that had patient names, addresses and diagnosis codes. The company sent the spreadsheet to a third person who was not authorized to have the information and who posted it on a website.

"This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract with SHC and is shockingly irresponsible. SHC regrets that its patients' confidentiality was breached and is committed to protecting the health and privacy of all of its patients," the hospital said.

A spokesperson for Multi-Specialty said the company could not comment on the lawsuit or Stanford's allegations, since there is an ongoing investigation.

Comments

Like this comment
Posted by what do they want?
a resident of Midtown
on Oct 3, 2011 at 4:22 pm

What do the victims want? Tighter data security at Stanford? 3rd party auditing of patient record security? Private investigators to track down the criminals? More information from Stanford of how the leak occurred and exactly what data was stolen? This article is too vague about what the case is all about.


Like this comment
Posted by Encrypt-The-Data
a resident of Another Palo Alto neighborhood
on Oct 3, 2011 at 5:46 pm

> It will be interesting to see if the ambulance-chasing lawyers (now turned to chasing security breaches) will be able to prove any actual harm to any of the 20,000 litigants that are suing the University.

Stanford (and every organization that posses customer/client information) needs to tighten up its security. It would not be a bad move to fire its current security head, and if it does not have a CIO (Chief Information Officer), then to appoint one.

Stanford needs a kick-in-the-pants over this, but paying the people whose names were released that can prove no damage sets a terrible precedent, which will only drive up the cost of medical care for the rest of us.


Like this comment
Posted by Oski
a resident of another community
on Oct 3, 2011 at 6:46 pm

Go Bears!


Like this comment
Posted by Bob
a resident of Another Palo Alto neighborhood
on Oct 4, 2011 at 6:12 am

> What do the victims want?

According to the Daily News, the lawsuit calls for a payment of $1,000 for each person whose name was allegedly made public, and "attorney fees", of course. This comes to a cool $20M. How much these vultures will claim as only "fair compensation" for their efforts is an open question, but there is no doubt that they will want more than the entire budget for some small country.


Like this comment
Posted by the_punnisher
a resident of Mountain View
on Oct 4, 2011 at 11:56 am

the_punnisher is a registered user.

The problem with the Stanford Hospital defense is that Stanford was already having a problem meeting the proper handling of patient data under HIPAA requirements. I had to deal directly with the CEO and was able to do it because of their sloppy security habits.

Stanford Hospital and the related departments MUST tighten security at all levels, starting with social engineering issues ( like a doctor leaving patient data on the computer when he/she/it leaves the room ) to the CEO leaving their PRIVATE e-mail address PUBLIC.

Both of the issues I describe I have personally witnessed when I had been treated at Stanford.

I didn't sue; but I DID notify Stanford about the laxness in their IT department when it came to security. No callbacks, just all the data on my treatments for FREE.

Therin lies the heart of the problem; HIPAA REQUIRES Cheap and total access to the data TO A PATIENT ( the P in HIPAA is the word PORTABILITY not PRIVACY as some shyster HOSPITALS and DOCTOR OFFICES claim on their forms ), but TIGHT security to everyone else that requests or is given the patient data.

That makes Stanford available for a CULPABLE NEGLIGENCE suit; they knew they had this problem for YEARS and they didn't fix it.

Sorry, Stanford Hospital, but you were warned....


Like this comment
Posted by concerned citizen
a resident of Community Center
on Oct 4, 2011 at 4:04 pm

it appears that Stanford wasn't the party that divulged the information but rather the collection agency they employed. Stanford should have made sure that the company they hired had airtight controls before entrusting them with HIPPA information. Stanford was the source of the original information and turned it over to this agency who blatantly ignored HIPPA regulations. When one outsources, one needs to be assured of quality control-this was not the case here. Maybe they were the cheapest?


Like this comment
Posted by a victim of the breach
a resident of Downtown North
on Oct 4, 2011 at 10:38 pm

Stanford Hospital thinks it can solely blame "unprofessional vendors" and in doing so, dismiss it's own responsibility of due diligence in evaluating vendors. The vendors they chose no longer have web presence; they removed ALL their profiles, websites, and information the week the story broke. These vendors are basically one-man companies. These vendors are anything but professional and established... and Stanford gave them MY records, and yours (if you have been a patient at SHC in the past few years.) This is not about identity theft, this is about breach of patient confidentiality. Period. If the Hospital had given the records to a local hot dog vendor, I can guarantee they would be still be pointing a finger at someone other than themselves.


Like this comment
Posted by susie
a resident of College Terrace
on Oct 5, 2011 at 1:47 am

I think it is REALLY important for the world that this lawsuit be successful.

The publishing of medical records in a country where insurance can be denied or a job lost based on "health" comprises criminal negligence.

It is important not just to reimburse these people but to the rule of law.

Stanford has deep pockets. they should pay up.


Like this comment
Posted by $$$
a resident of Another Palo Alto neighborhood
on Oct 5, 2011 at 8:23 am

People will sue for any free money, especially in this economy.


Like this comment
Posted by Walter_E_Wallis
a resident of Midtown
on Oct 6, 2011 at 4:59 am

Walter_E_Wallis is a registered user.

Perhaps if we required parties to a class action lawsuit to pony up a retainer of, say $100 to be included...


Like this comment
Posted by Patient
a resident of Charleston Gardens
on Oct 6, 2011 at 6:04 am

Well I'm one of those affected by the breach. And I didn't go into the ER to get treated and then have my information splattered all over the internet. So I'm all for it.


Like this comment
Posted by Brian McGinley
a resident of another community
on Oct 6, 2011 at 8:25 am

The breach of data at Stanford Hospital and Clinic demonstrates the need for companies to thoroughly vet all third party vendors and contractors. Despite the information being properly secured by Stanford Hospital, the third party failed to properly secure and manage the information once it was in their hands. It is important to do the appropriate due diligence before engaging a vendor with whom you will be sharing sensitive information and then insuring the appropriate protection, notification, insurance requirements as well as liability considerations are appropriately stated and enforced within in the contract. Companies using external resources for any managing of information need to conduct a review of the third party’s practices in protecting and sharing data. Failure to do so puts your customers, partners and your company at risk.

Signed,
Brian McGinley
SVP, Data Risk Management
Identity Theft 911
idt911.com


Like this comment
Posted by victim of the breach
a resident of Downtown North
on Oct 6, 2011 at 8:35 am

Well here's the funny thing.... this was simply ONE batch of 20,000 records that was revealed, by those "vendors" has been sent, were given access, to many many more records over the past few years.... maybe even your record. And if you read the New York Times most recent article (today), you'll get a sense of how unprofessional these selected vendors were. Stanford Hospital sent patient records to a one-man "company" who then gave the information to someone he was interviewing for a job! The job applicant was given legally protected confidential data, and then posted it online. ...Isn't that special!

As for the snide remarks about a class action....victims don't get rich from class actions... if any of you want a whooping $1000 in exchange for posting your most confidential health and medical data on some frivolous student website, than just wait.... it could happen for you sooner or later, or maybe already has.


Like this comment
Posted by victim of the breach
a resident of Downtown North
on Oct 6, 2011 at 8:42 am

I apologize for all the typos, using an iPhone. here is what I intended:

Well here's the funny thing.... this was simply ONE batch of 20,000 records that was revealed, but those "vendors" had been sent, and given access, to many many more records over the past few years.... maybe even your record. And if you read the New York Times most recent article (today), you'll get a sense of how unprofessional these selected vendors were. Stanford Hospital sent patient records to a one-man "company" who then gave the information to someone he was interviewing for a job! The job applicant was given legally protected confidential data, and then posted it online.

As for the snide remarks about a class action....victims don't get rich from class actions... if any of you want a whooping $1000 in exchange for posting your most confidential health and medical data on some frivolous student website, then just wait.... it could happen for you sooner or later, or maybe already has.


Like this comment
Posted by perfect
a resident of Southgate
on Oct 6, 2011 at 9:06 am

It is ok to write imperfect grammar, it is ok to have an imperfect life and it is ok to know that they had lost our records, coz life is full of imperfect events.


Like this comment
Posted by disbelief
a resident of Los Altos
on Oct 6, 2011 at 10:04 am

> to Perfect
Somehow that doesn't compute. Why have laws and regulations if life is so "imperfect?" How absurd to equate a few words of one individual's imperfect grammar with the sweeping imperfect responsibility of a medical institution. Why even have HIPPA rules at all in such an imperfect world?


Like this comment
Posted by perfect
a resident of Southgate
on Oct 6, 2011 at 10:20 am

The government creats the law,some are for wars, some are for oils,some are for riches,so they are impecfect also.


2 people like this
Posted by disbelief
a resident of Los Altos
on Oct 6, 2011 at 10:43 am

Yes, "perfect." The patient who goes to the Stanford Hospital emergency room for (culturally stigmatized) HIV complications, or the woman who seeks treatment after a violent rape, should expect to have their confidential medical data openly displayed on the web for all to see. We should just smile at them and say, "hey, it's an imperfect world. Get over it!"


Like this comment
Posted by perfect
a resident of Southgate
on Oct 6, 2011 at 10:52 am

Yeah, what you can do, ask the students who saw it to spit it out from their throats.How funny!!!!!!!!


3 people like this
Posted by Jon Michaels
a resident of Gunn High School
on Mar 5, 2014 at 9:50 am

Stanford University is one of the most corrupt institutions. Never send your kids to Stanford for an education.


Like this comment
Posted by Mom
a resident of Palo Alto High School
on Mar 5, 2014 at 10:43 am

@Jon: It's acceptance letter time. I'm guessing your senior didn't gain an acceptance letter to Stanford? The only way for Palo Altans to be admitted to Stanford is through connections.


Posted by Name hidden
a resident of JLS Middle School

on Jun 5, 2017 at 9:32 am

Due to repeated violations of our Terms of Use, comments from this poster are automatically removed. Why?


Sorry, but further commenting on this topic has been closed.

Let's Talk Internships
By John Raftrey and Lori McCormick | 1 comment | 1,331 views

Populism: A response to the failure of the elites: Palo Alto edition
By Douglas Moran | 4 comments | 1,283 views

Couples: Sex and Connection (Chicken or Egg?)
By Chandrama Anderson | 1 comment | 1,047 views

Zucchini Takeover
By Laura Stec | 2 comments | 870 views

Mountain View's Hangen Szechuan to close after 25 years
By Elena Kadvany | 0 comments | 321 views