Stanford Hospital & Clinics Data Breach Class Action Lawsuit

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Stanford Hospital & Clinics has been hit with a $20 million class action lawsuit over a data breach that resulted in the release of 20,000 confidential patient medical records that were posted on a commercial website for nearly a year.

Stanford confirmed the data breach on September 8 when it revealed the released information included medical record numbers, hospital account numbers, billing charges, and emergency room admission and discharge dates. It also revealed a Santa Clara man’s psychiatric diagnosis. Credit card and Social Security numbers were not included, Stanford said.

According to the class action lawsuit, the Stanford Hospital data breach violated the Confidentiality of Medical Information Act, a state law that requires medical providers to safeguard patient information and prohibits its disclosure without written consent.

“On its website, Stanford claims that its patients’ ‘health care experience is [its] highest priority.’ Thus, it should be no surprise that when patients are treated at Stanford’s facilities, they expect that their private medical information will be kept confidential and will not be disclosed to anyone without their authorization,” the Stanford Hospital class action lawsuit states.

Stanford responded to the class action lawsuit by saying it would “vigorously defend” itself against the suit, placing blame on the complaint’s co-defendant, Multi-Specialty Collection Services, the subcontractor Stanford says mishandled the data. Stanford has since cut ties with the company, which provided collection and billing services.

Stanford said it properly sent the data to Multi-Specialty Collection Services in an encrypted format to protect its confidentiality, but that the company put that information into a spreadsheet and sent it to a third party for help creating a graph to display the data. That third party then posted the information to a public website, according to Stanford.

“This mishandling of private patient information was in complete contravention of the law and of the requirements of [Multi-Specialty Collection Service’s] contract with [Stanford Hospital & Clinics] and is shockingly irresponsible,” Stanford said in a statement.

The Stanford Hospital & Clinics data breach lawsuit is seeking class action status to represent all patients treated in Stanford’s emergency room between March 1, 2009 and August 31, 2009. It is seeking $1,000 per patient, in addition to other penalties, damages and attorneys fees.

The case is Shana Springer v. Stanford Hospitals & Clinics and Multi-Specialty Collection Services, LLC, Case No. BC470522, Superior Court of the State of California, County of Los Angeles, Central District.

UPDATE: On March 19, 2014, Los Angeles Superior Court Judge Elihu Berle indicated his intent to preliminarily approve the Stanford Hospital data breach class action settlement, after minor revisions to the Class notice were made.