The Security Scrutinizer with Howard Anderson

Stanford Breach an Unusual Tale Another Reminder About Business Associate Monitoring

The healthcare organization, as well as its business associate, now face a class action lawsuit in the case. Stanford said in an Oct. 3 statement that it "intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit."

The incident provides yet another example of the importance of limiting patient data shared with business associates and their subcontractors to the "minimum necessary" amount, as well as the need to monitor business partners' security and privacy policies.

The incident provides yet another example of the importance of limiting patient data shared with business associates and their subcontractors to the 'minimum necessary' amount. 

The breach incident, which involved inappropriately posting on a website information about patients treated in the hospital's emergency department, affected 19,651 patients, according to the official federal tally of major health information breaches.

The information about patients treated between March 1 and Aug. 31, 2009, included patient names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit and billing charges, Stanford acknowledged (see: Stanford Reports Website Breach).

Although the information did not include credit card information or Social Security numbers, Stanford said that, nevertheless, it's offering those affected free identity protection services. And that's a commendable move that many other organizations haven't taken in similar circumstance.

Unusual Circumstances

So just how did the information wind up on the Internet? Well, the circumstances are unusual, to say the least.

In an Oct. 7 statement, Stanford said that it sent encrypted patient information to its business associate, Multi-Specialty Collection Services. Then, according to the statement, the business associate "decrypted the data and used it to create a spreadsheet, which it then provided to an unauthorized person, who posted it on a student homework website in order to get help creating a bar graph and charts."

Stanford suspended all work with the vendor upon discovery of the breach, demanded that the vendor lock down all patient information and then terminated the vendor relationship, according to the statement.

The New York Times reported that Multi-Specialty Collection Services claimed its marketing vendor, an independent contractor, had received the patient data directly from Stanford, converted it to a spreadsheet, and then forwarded it to a woman being considered for a short-term job. The job applicant apparently was challenged to convert the spreadsheet into a bar graph and charts, the newspaper reported.

Not knowing she had been given real patient data, the applicant posted it as an attachment to a request for help on studentoffortune.com, which allows students to solicit paid assistance with their work, according to the New York Times. First posted on Sept. 9, 2010, the spreadsheet remained on the site until a patient discovered it on Aug. 22, 2011, and notified Stanford.

The class action lawsuit, filed by the law firm Keller Grover, alleges violations of the California Confidentiality of Medical Information Act. Earlier, the same law firm filed a similar suit regarding another breach incident involving Health Net and IBM.

So what are the lessons here? Well, if you want to avoid bad publicity from a breach, muchless a lawsuit, take steps to ensure it's absolutely essential to share patient data with business associates for a specific purpose. Take a close look at your business associate's privacy and security policies and carefully review which individuals at the vendor truly need access to patient information. And it couldn't hurt to ask for a copy of vendor's security audit and corrective action plan. Oh, and don't forget to ask for detailed information about subcontractors and their roles.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network