Keller Grover, a law firm that has been investigating a patient-information breach at Stanford Hospital & Clinics, has filed a class-action lawsuit against the hospital and Multi-Specialty Collection Services, LLC, the outside vendor that caused the breach, the hospitals announced Monday (Oct. 3).
The hospitals acknowledged on Sept. 8 that a data breach involving 20,000 patients' records had occurred. The patients were seen in the emergency room between March and August of 2009.
The patients' names, diagnosis codes and billing amounts were posted on a public website for nearly a year before being removed Aug. 22. Social Security numbers or credit card information was not among the data, hospital officials said.
A subcontractor of an outside vendor, Multi-Specialty Collection Service, created the compromised data file, Stanford said. The data was posted on the Student of Fortune website, according to the New York Times. The site provides homework help and the data was used to show how to create a bar graph.
Stanford said in a statement it has heard of the class-action lawsuit but did not provide details regarding the lawsuit.
"Stanford Hospital & Clinics (SHC) intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.
"SHC takes very seriously its obligation to treat its patient information as private and confidential. As soon as this was brought to SHC's attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers.
"SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft.
"To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with Multi-Specialty Collection Services, and reported this breach to law-enforcement authorities," the hospital said in the statement.
Stanford officials said Multi-Specialty Collection Services, a California company, provided business and financial support to the hospitals. Multi-Specialty was operating under a contract that specifically required it to protect the privacy of the patient information. The hospital sent the data to Multi-Specialty in an encrypted format to protect its confidentiality.
A hospital investigation found that Multi-Specialty prepared an electronic spreadsheet from the data that had patient names, addresses and diagnosis codes. The company sent the spreadsheet to a third person who was not authorized to have the information and who posted it on a website.
"This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract with SHC and is shockingly irresponsible. SHC regrets that its patients' confidentiality was breached and is committed to protecting the health and privacy of all of its patients," the hospital said.
A spokesperson for Multi-Specialty said the company could not comment on the lawsuit or Stanford's allegations, since there is an ongoing investigation.