Stanford Hospital and Clinics will pay more than $4.1 million to settle a class action lawsuit for allowing the information of about 20,000 patients to be posted online for nearly a year.
The breach occurred in 2010 and affected patients who visited the facility’s emergency department from March 1 – Aug. 31, 2009, reports the San Jose Mercury News.
The names and diagnosis codes of 20,000 patients were in the possession of a vendor called Multi-Specialty Collection Services, and ended up on a Web site called “Student of Fortune.” The Web site allows students to solicit assistance with their school work for a fee.
The spreadsheet first appeared on the site as an attachment to a question about how to convert data into a bar graph.
The spreadsheet was initially sent to a job prospect as part of a skills test by a marketing agent for Multi-Specialty Collection Services. The applicant sought help on the test by posting the data on the Web site.
The data remained on the site starting in September 2010 until a patient discovered it on Aug. 22 and notified the hospital. No credit card or Social Security information was posted.
California hospitals are legally barred from disclosing patient records without their written consent.
