Healthcare News & Insights

Facility may pay $4.1M and it’s not for violating HIPAA

While Stanford Hospital and Clinics has had five major HIPAA breaches over the past three years, this $4.1 million settlement isn’t in reference to them. 

457546345This lawsuit settlement stems from a 2010 incident in which Stanford violated California’s medical privacy law.

Here’s what happened: Stanford notified nearly 20,000 emergency room patients that their protected health information (PHI) had been posted by accident to a student website, where it remained for nearly a year. The PHI included medical record numbers, hospital account numbers, billing charges, and emergency room admission and discharge dates.

Shana Springer was one of the patients whose PHI was posted. In 2011, she filed a $20-million class action lawsuit against Stanford and Multi-Specialty Collection Services – Stanford’s business associate that was partly responsible for the breach — for violating California’s Confidentiality of Medial Information Act. Corcino & Associates LLC was later added to the class action complaint.

Settlement breakdown

The lawsuit settlement was approved last month by Los Angeles County Superior Court Judge Elihu Berle, reported The San Jose Mercury News.

Stanford agreed to pay $500,000 for a program to educate vendors on recent regulations that hold them accountable for privacy breaches, and $250,000 to cover administrative costs of the settlement.

Multi-Specialty Collection Services and Corcino & Associates will pay $3 million.

In a statement, however, Stanford stressed that federal and state government agencies reviewed its actions, including security and privacy safeguards, and determined there was no violation on its part. The reason the hospital agreed to participate in the settlement was to avoid the costs of continuing the litigation.

Stanford noted in its letter to the patients involved in the breach that it had sent Multi-Specialty Collections services encrypted patient information for “permissible business purposes,” thus making the company “responsible by law and contract for protecting all patient information provided to it for its services.”

Not the first

This, however, isn’t Stanford’s first involvement with  a breach. Since 2010, the facility has reported five HIPAA breaches that involved 92,000 patients’ PHI. And four of these breaches involved unencrypted company laptops which were stolen.

According to Susan McAndrew, the Department of Health and Human Services’ Office for Civil Rights deputy director for health information privacy, 48% of all breaches reported are from theft.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.