Stanford Hospital sued $20M over data breach, faults billing contractor

Twenty million dollars for 20,000 patients: That's how much Stanford Hospital & Clinics stands to owe if the patients win the class-action lawsuit against the leading hospital. Stanford is vowing to fight the lawsuit filed by the patient, who represents thousands of patients whose information was exposed online for almost an entire year, reports Palo Alto Daily News.

Representing 20,000 patients, Shana Springer last month filed the complaint in Los Angeles County Superior Court, seeking damages worth $1,000 for each patient. Springer was treated in the emergency room in 2009, according to the article.

The data breach was discovered on Aug. 22, and the information was removed the next day when Stanford Hospital began an "aggressive investigation," according to a Stanford press release.  

Stanford pointed to the billing contractor (and co-defendant) Multi-Specialty Collection Services LLC (MSCS) as the culprit for mishandling patients' data. The hospital sent the encrypted data to MSCS, according to Stanford Hospital. MSCS's executive vice president allegedly created an unencrypted electronic spreadsheet and sent it to an unauthorized person to create bar graphs and charts. The unnamed third party allegedly posted it to the public Student of Fortune, a homework help site.

The data breach included patients' names, diagnosis codes, hospital account numbers, and emergency room admission and discharge dates. Credit card and Social Security numbers were not exposed, according to the Stanford statement.

MSCS marketing vendor Frank Corcino converted the spreadsheet and forwarded it to a woman as part of a skills test for a job, MSCS told The New York Times. Corcino said the breach resulted from "a chain of mistakes which are far too easy to make when handling electronic data."

There are 7.9 million people who have had their health records exposed, according to Health & Human Services. There have been 30,000 data breaches since required reporting began in 2009.

For more information:
- read the New York Times article
- read the ComputerWorld article
- read the Palo Alto Daily News article
- here's Stanford's statement