Stanford responds to breach of patient data

A patient of Stanford Hospital & Clinics in Palo Alto, CA, recently alerted the provider to a disturbing find: Detailed medical and billing records for 20,000 of the hospital's patients were posted on a homework help site. Even worse, the records had been posted for nearly an entire year.

Los Angeles attorney Bradley I. Kramer, MD, JD, recently announced that he has been retained in a multi-million dollar class action case against Stanford related to the unauthorized disclosure.

The breach was discovered in August, and the hospital immediately began an investigation, says Gary Migdol, director of communication for the hospital. The information was contained in a detailed spreadsheet posted to a web site called Student of Fortune, where students can pay others for help with schoolwork.

Stanford soon determined that the information was posted by a billing contractor identified as Multi-Specialty Collection Services and first appeared on the site on Sept. 9, 2010, Migdol says. The patient data was in an attachment to a question about how to convert the data into a bar graph.

The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for 20,000 patients treated at Stanford Hospital's ED during 2009, Migdol says. The spreadsheet did not include Social Security numbers, birth dates, or credit-card numbers, Migdol says, but to allay fears about potential identity theft, the hospital offered to pay for identity protection services to the patients involved in the breach.

Migdol says, "The information included the patient's name, medical record and hospital account numbers, an emergency department admission/discharge date, diagnosis codes related to the emergency department visit, and billing charges."

Diane Meyer, SHC/LPCH, vice president, chief compliance officer, and chief privacy offer, wrote a letter to the affected patients soon after the breach was discovered by a patient and reported to the hospital Aug. 22. Meyer says the hospital took "aggressive steps" to ensure that the web site removed the post within 24 hours. Stanford also notified state and federal agencies. The Department of Health and Human Services is expected to conduct its own investigation. The breach was traced to Los Angeles-based vendor Multi-Specialty Collection Services (MSCS). The vendor provided business and financial support to the hospital and was legally responsible for protecting all patient information needed for its services, Migdol says.

He says, "Stanford Hospital & Clinics sent the data to MSCS for permissible hospital billing support purposes using its secure systems. The data were encrypted and were solely to be used by the contractor for the business service. MSCS's contractor was not allowed to share the decrypted data with others, which apparently was done in this case contrary to law and the hospital's contract." 

MSCS had a subcontractor who created the spreadsheet and caused it to be posted, Migdol says. Exactly how and why the data ended up on the homework help site is not clear, he says, but it was attached to a question asking how to create bar graphs and charts from data.

Stanford immediately suspended its relationship with the contractor, Migdol says. The hospital received written assurance that other patient data files would be destroyed or returned securely.