Stanford Sued Over Data Breach

Stanford University's hospital system and a former billing subcontractor are co-defendants in a class-action suit that seeks damages for the online posting of information from 20,000 patients' medical records.

The lawsuit, filed last week in Los Angeles Superior Court against Stanford Hospital & Clinics and the billing vendor, Multi-Specialty Collection Services, seeks unspecified damages on behalf of anyone whose health data was posted online--namely patients who visited the Stanford Hospital emergency room, in Palo Alto, Calif., between March 1 and Aug. 31, 2009. A copy of the suit is available at ModernHealthcare.com.

A digital spreadsheet containing the patients' names, medical records, hospital account numbers and the dates of treatment was posted online Sept. 10, 2010, at studentoffortune.com, a website that helps students with their homework. The data remained online for almost a year before a patient discovered it on Aug. 22.

Stanford Hospital says responsibility for the data breach rests with Los Angeles-based Multi-Specialty Collection Services, which it fired following discovery of the privacy lapse. In an Oct. 3 statement, the hospital contends that it sent the data to the company in an encrypted format to protect its confidentiality. A hospital investigation showed that the vendor, known as MSCS, prepared a spreadsheet and sent it to a third person not authorized to have the information.

That person "improperly posted it on a website, apparently to get assistance in generating a graph from MSCS's spreadsheet," the hospital says. "This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract ... and is shockingly irresponsible."

MSCS did not immediately return a call seeking comment.