Shana Springer, a woman whose information ended up on a website after an oversight by a subcontractor, filed a class-action suit on Sept. 28 in Los Angeles County Superior Court.
Springer sought treatment at Stanford's emergency room around Aug. 31, 2009 and provided her personal information and hospital account number, according to the lawsuit.
The suit alleges the information posted on the website included her name, medical record and hospital account numbers, admission/discharge dates, diagnoses codes and billing charges.
It asks for $1,000 per class member of the suit. The hospitals acknowledged on Sept. 8 that a data breach involving 20,000 patients' records had occurred. The patients were seen in the emergency room between March and August of 2009.
The patients' information was posted on a public website for nearly a year before being removed Aug. 22. Social Security numbers or credit card information was not among the data, hospital officials said.
A subcontractor of an outside vendor, Multi-Specialty Collection Service, created the compromised data file, Stanford said. It has also been named in the suit. The data was posted on the Student of Fortune website, according to the New York Times. The site provides homework help and the data was used to show how to create a bar graph.
Stanford said it has heard of the class-action lawsuit but did not provide details regarding the lawsuit. An official statement from the hospital said:
"Stanford Hospital & Clinics (SHC) intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.
"SHC takes very seriously its obligation to treat its patient information as private and confidential. As soon as this was brought to SHC's attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers.
"SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft.
"To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with Multi-Specialty Collection Services, and reported this breach to law-enforcement authorities."
Stanford officials said Multi-Specialty Collection Services, a California company, provided business and financial support to the hospitals. Multi-Specialty was operating under a contract that specifically required it to protect the privacy of the patient information. The hospital sent the data to Multi-Specialty in an encrypted format to protect its confidentiality.
A hospital investigation found that Multi-Specialty prepared an electronic spreadsheet from the data that had patient names, addresses and diagnosis codes. The company sent the spreadsheet to a third person who was not authorized to have the information and who posted it on a website.
"This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract with SHC and is shockingly irresponsible. SHC regrets that its patients' confidentiality was breached and is committed to protecting the health and privacy of all of its patients," the hospital said.
A spokesperson for Multi-Specialty said the company could not comment on the lawsuit or Stanford's allegations, since there is an ongoing investigation.