Cost Of A Data Breach: $20 Million For Someone Else’s Screw Up.

Stanford Hospital & Clinics is being sued for $20 million in a class-action suit filed in Los Angeles.  The company has announced its intentions to vigorously defend itself.  The unfortunate thing about this case is that Stanford Hospital & Clinics did everything by the book when it came to patient data protection, including the use of data encryption.

Third-Party Breach

The information for 20,000 patients treated at Stanford Hospital was viewable online for almost one year.  The information included “medical record numbers, hospital account numbers, billing charges, and emergency room admission and discharge dates.”  In one case, a man’s psychiatric diagnosis was also available.

The situation is a Rube Goldberg-esque situation.  According to

Private medical data for nearly 20,000 emergency room patients at California’s prestigious Stanford Hospital were exposed to public view for nearly a year because a billing contractor’s marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test, the hospital and contractors confirmed this week. The applicant then sought help by unwittingly posting the confidential data on a tutoring Web site.

The fault obviously lies with the billing contractor, Multi-Specialty Collection Services.  What kind of professional company goes around sending client data to a job prospect?  Especially medical data?

(I guess this is not the stage for social commentary, but get this:

The job applicant apparently was challenged to convert the spreadsheet — which included names, admission dates, diagnosis codes and billing charges — into a bar graph and charts, Stanford Hospital officials said.

Not knowing that she had been given real patient data, the applicant posted it as an attachment to a request for help on, which allows students to solicit paid assistance with their work.

Uhm…I realize that the economy is bad and people are out of jobs, but honestly, if this is how you perform in an interview…well, I can’t blame her.  It’s the employer’s fault for not conducting the interview in a controlled setting).

What About Stanford Hospital?

On the other hand, Stanford Hospital sent the data to Multi-Specialty Collection Services in encrypted form.

And why wouldn’t it?  The medical organization’s practices falls under the auspices of HIPAA.  Furthermore, it had a contract with the collection agency that specifically stipulated that it would protect patient data.  So why is it getting sued?

I’m guessing the answer is “lawyers.”  In cases like these, you sue everyone involved and hope something sticks.  This is especially true because in the US you have to prove that there were damages.  The potential for damages — who knows when information will be used in some identity theft scam? — is not grounds for winning.

Related Articles and Sites:

Comments (0)

Let us know what you think