Stanford Univ., L.A. County privacy breaches costly, expansive

A breach of state privacy law could cost Stanford Hospital & Clinics and one of its former contractors more than $4 million after medical information of 20,000 emergency room patients was posted online for nearly a year.

A tentative settlement in a class-action lawsuit was approved Wednesday, reports the San Jose Mercury News.

And a breach affecting 168,500 people has led to a class-action lawsuit against Los Angeles County and a vendor that handles patient billing and payment collections, according to Healthcare Info Security.

Shana Springer cited California's Confidentiality of Medical Information Act in her original $20 million lawsuit against Stanford and Los Angeles-based Multi-Specialty Collection Services. That law prohibits healthcare providers from disclosing patient records without written consent.

In the proposed $4.1 million settlement, the patients would receive a little more than $100 each, according to the article. It would require the hospital to fund a program for two years to train medical professionals to protect patient records.

Stanford maintains the data was encrypted when it was sent to the contractor, but that contractor sent it to a third party as an electronic spreadsheet. The data eventually wound up on a student homework-help website called Student of Fortune as an example of how to build a bar graph.

Stanford also suffered a breach in 2012, when the theft of a password-protected computer prompted the organization to notify 2,500 patients that their personal data could have been compromised.

The Los Angeles breach resulted from the theft of eight unencrypted desktop computers from the Torrance, Calif. office of Sutherland Healthcare Services, which handles patient billing and payment collections for the county's departments of health services and public health.

That case is in the discovery phase, which will focus on details including the physical security at Sutherland's offices, why encryption and other safeguards were not used and the county's oversight of its vendor.

These stories underscore the well-placed concern about business associates' privacy and security practices.

Seventy-three percent of healthcare organizations responding to a recent Ponemon Institute survey said they don't fully trust their business associates' security practices. And only 30 percent are confident that their business associates fully comply with HIPAA.

To learn more:
- read the San Jose Mercury News article
- here's the Healthcare Info Security story