Negligence in Business Associate Security Results in 20K Patient HIPAA Infringement

As per a New York Times story circulated this week, the health reports of 20,000 patients of Stanford University Hospital in Palo Alto, Calif., have been announced online and available to the public for nearly a year after a mistake was made by one of the hospital’s business partners.

The hospital as well as its service provider – Multi-Specialty Collection Services of Los Angeles (MSCS) – verified that a work sheet having the medical information of 20,000 patients had been inadvertently sent to a job candidate who in turn forwarded the data on a teaching website as a portion of a job skills examination. The data was forwarded on Dec. 9, 2010 and continued accessible until a patient found it and brought it to the notice of the hospital on Aug. 22, 2011.

MSCS clarified how the incident happened in an email transmitted to affected patients, as per the NYT report. Anthony Reyna, MSCS President, said the patient that a marketing dealer had been delivered patient health info directly from Stanford Hospital. After changing the data to a different layout it was mistakably given to a job seeker to use as a portion of a skills test; which involved changing the data into charts and graphs. The candidate posted the information on a website known as and requested assistance with the project.

After not receiving offers of help with the work, the applicant finished the job on her own, although she didn’t get the short time job for which she applied and she overlooked to erase the post. The data continued on the website until it was found approximately a year later. The student had not believed that the data was actual, and Anthony Reyna verified that the revelation resulted from the activities of his retailer, Frank Corcino.

The data included in the spreadsheet contained names, billing codes, dates of admission, diagnostic codes, as well as fees, however, and no social security numbers were incorporated into the files. As soon as the data infringement was revealed the BA was advised to instantly delete the worksheet. The files have now been removed though it is unknown how many persons accessed the data during the period it was online.

HIPAA breaches are probed by the Office for Civil Rights of the Department of Health and Human Services as well as civil and even criminal fines can be brought against companies that neglect to apply the necessary controls to safeguard the medical files of patients.

Attorneys have already recorded class action litigations against Multi-Specialty Collection Services and Stanford Hospital & Clinics with $20 million harms being demanded for a lack of precautions being applied to safeguard patient files. The hospital has ended the agreement with its business partner, which in turn has ended its relationship with Mr. Corcino. Lisa Lapin, Assistant Vice President of Stanford University distanced the hospital from its partner and stated, “MSCS bears the sole and complete responsibility for the infringement.”

While it doesn’t take the blame for the HIPAA infringement itself, the hospital is taking action to alleviate any damage produced and has already informed all patients affected and offered them completely free credit supervising and identity thievery services. The hospital also verified that no dates of birth, credit card details or Social Security numbers had been revealed in the infringement.

This HIPAA infringement shows how a series of simple mistakes can lead to the revelation of thousands of safeguarded health files. Healthcare companies should make sure that business partners are conscious of the rules laid down by HIPAA to safeguard the secrecy of patients, and make certain the required controls are applied to keep electronic health files of patients safeguarded.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.