Last week, Shana Springer, one of the patients whose information was exposed, filed the class-action lawsuit against Stanford Hospital & Clinics and Multi-Specialty Collection Services, an outside vendor that was allegedly responsible for the breach, in Los Angeles County Superior Court. The lawsuit asks for $1,000 per patient, according to a report by Palo Alto Weekly.
Stanford Hospital & Clinics confirmed that a lawsuit had been filed, but did not provide details. In a statement, the hospital said it “intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.”
Details of the data breach were revealed last month in newspaper reports. This week, the hospital provided its own version of events. It said that it sent encrypted information on the 20,000 patients to Multi-Specialty Collection Services. The contractor then decrypted the data and used it to create a spreadsheet, which it sent to an “unauthorized person”, who posted it on a student website in order to get help creating a bar graph and charts.
The information, which was posted on the website for a year, included the patients’ names, medical record numbers, hospital account numbers, emergency department emission and discharge dates, diagnostic codes, and billing charges. It did not include credit card and social security numbers, according to the hospital.
Stanford Hospital & Clinics said it suspended all work with the vendor when it discovered the breach and demanded that the contractor “lock down” all patient information. It subsequently terminated its relationship with the contractor.
The hospital notified the “appropriate government authorities” and the affected patients, and offered them free identity protection services.
A spokesperson for Multi-Specialty Collection Services declined to comment on the lawsuit or Stanford Hospital & Clinics' accusations.