Stanford, contractor to pay $4.1 million over privacy

It will take $4.1 million for Stanford (CA) Hospital & Clinics and one of its former contractors to settle a class action lawsuit claiming the hospital violated state privacy law by allowing the protected health information (PHI) of 20,000 emergency department patients to be posted online for nearly a year. The PHI was found on a website that helped students answer homework questions.

Shana Springer sued the hospital and Los Angeles-based Multi-Specialty Collection Services in 2011 and said her information was part of the information found on the site. She was one of the patients in the hospital’s emergency department from March 1, 2009, to Aug. 31, 2009, whose PHI was on the public website for almost a year.

Stanford acknowledged the breach soon after it was reported publicly but blamed Multi-Specialty Collection Services. Hospital officials claimed they sent the medical information to the collection and billing services firm in an encrypted format but the contractor then created a spreadsheet that was sent to the website for help in creating a graph.

In a statement released after the settlement, Stanford says the Multi-Specialty Collection Services and Corcino & Associates, the owner of the website, will pay $3.3 million of the $4.125 million settlement. The hospital will pay the rest. In addition, the hospital will fund a two-year program that trains medical professionals to protect patient records.

"Patient privacy and data security continues to be an utmost priority at Stanford Hospital & Clinics," the statement said. "We are pleased to have put this case behind us and look forward to helping outside vendors better understand and comply with new patient privacy regulations."

As part of the settlement, each of the affected patients will receive a little more than $100.