Widgets Magazine

SHC patient-privacy suit looms

A class action suit has been filed against Stanford Hospital & Clinics and a third-party vendor by patients whose personal information was published on a public website discovered earlier this month.

A third-party vendor and its subcontractor with whom the Hospital had been working were responsible for posting patients’ names, hospital admittance, exit dates and other information on a commercial site, where it remained for almost one year.

Patients’ information from dates ranging March 1 to Aug. 31, 2009 was posted on a student-run homework site called Student of Fortune in September 2010.

“We value the privacy of patient health information and are committed to protecting it at all times,” said Diane Meyer, Chief Privacy Officer at Stanford Hospital & Clinics in a Hospital press release. “Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information.  We have worked extremely hard to identify all the parties responsible.”

After launching an investigation at the end of August, the Hospital found Multi-Specialty Collection Services, LLC (MSCS) and its subcontractor to be the source of the leak. MSCS was contracted to provide “business and financial support to the Hospital, and was legally responsible for protecting all patient information needed for its services.” It was determined that no Hospital employees were involved with the posting of information.

In a statement released Monday morning, SHC said it would defend the lawsuit.

“Stanford Hospital & Clinics understands that a purported class action lawsuit was filed against it and Multi-Specialty Collection Services, LLC, an outside vendor that caused some confidential information about patients who visited Stanford Hospital’s emergency room to be posted on a website,” the statement reads. “SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.”

Approximately 20,000 patients were affected by the security breach; SHC mailed informational letters to each in response. The lawsuit was filed on behalf of some of these patients in a Los Angeles court.

According to SHC Director of Communications Gary Migdol, the Hospital was not planning to comment further on the matter at this time.

  • Breached —another victim

    Stanford Hospital thinks it can put the blame solely on “unprofessional vendors” and in doing so, dismiss it’s own responsibility of due diligence in evaluating vendors. How is it, the vendors they chose no longer have web presence; they removed ALL their profiles, websites, and information the week the breach was discovered. These vendors are basically one-man companies. These vendors are anything but professional and established… and Stanford gave them MY records, and yours (if you have been a patient at SHC in the past few years.) This is not about identity theft, this is about breach of patient confidentiality. Period. If the Hospital had given the records to a local hot dog vendor, I can guarantee they would still be pointing a finger at someone other than themselves.

  • Bertiebot

    To restore some confidence that Stanford is taking this seriously, this dismissal of Meyer should happen as soon as possible.  Also, Stanford needs to disclose the names of and summarily dismiss (1) the person who gave the data to the vendor, and (2) the person who screened the vendor.  These names will come out in the litigation, the sooner Stanford makes a complete statement and fires those involved, the sooner patients will be able to trust Stanford again.  These people should never be entrusted with patients data ever again.