17 October 2011


Last month I noted the breach of medical information (including patient names and diagnostic codes) at Stanford Hospital. Stanford is now facing a class action over that breach. It states that -
Stanford Hospital & Clinics (SHC) understands that a purported class action lawsuit was filed against it and Multi-Specialty Collection Services, LLC (MSCS), an outside vendor that caused some confidential information about patients who visited Stanford Hospital’s emergency room to be posted on a website. SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit.

SHC takes very seriously its obligation to treat its patient information as private and confidential. As soon as this was brought to SHC’s attention by a patient, the hospital demanded and had the spreadsheet taken down from the website and backup servers. SHC quickly notified the affected patients of this breach and offered to provide free identity protection services to all the patients, even though the information disclosed on the website is not the type used for identity theft. To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose. SHC has investigated this matter, terminated its relationship with MSCS, and reported this breach to law enforcement authorities.

MSCS is a California company that provided business and financial support to SHC and was operating under a contract with SHC that specifically required it to protect the privacy of the patient information sent to it and that prohibited unauthorized disclosure of that information. SHC properly sent the data to MSCS in an encrypted format to protect its confidentiality. SHC’s investigation of this regrettable incident has determined that MSCS then prepared an electronic spreadsheet from that data that had the names, addresses and diagnosis codes of almost 20,000 patients. Unfortunately, MSCS improperly sent the spreadsheet it had created to a third person who was not authorized to have that information and who improperly posted it on a website, apparently to get assistance in generating a graph from MSCS’s spreadsheet. This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract with SHC and is shockingly irresponsible.

SHC regrets that its patients’ confidentiality was breached and is committed to protecting the health and privacy of all of its patients
Elsewhere Stanford states that -
* SHC aggressively pursued a comprehensive investigation, which resulted in identifying the person who caused the information to be posted in violation of federal law and SHC’s contract. The individual who created the spreadsheet was SHC’s primary contact at MSCS and MSCS’s executive vice president. SHC has learned that his relationship with MSCS was that of an independent contractor.

* The vendor’s file, which was posted on September 9, 2010, had limited information about 20,000 patients treated in SHC’s Emergency Department from March 1 through August 31, 2009. The information included the patient’s name, medical record and hospital account numbers, an emergency department admission/discharge date, diagnosis codes related to the emergency department visit, and billing charges.

* Information generally associated with identity theft, such as credit card and social security numbers, was not published on the web site or otherwise breached.

* SHC notified appropriate government authorities and is cooperating fully. Letters were sent to affected patients informing them of the breach. Any patient receiving the letter may call 855-731-6016 for assistance with their questions or concerns.

* While information generally used for identity theft was not compromised, SHC has made arrangements for affected patients to receive free identity protection services if they wish to.

* From Diane Meyer, Chief Privacy Officer at Stanford Hospital & Clinics: “We sincerely apologize for the concern this has caused our patients. We value the privacy of patient health information and are committed to protecting it at all times. Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information. We have worked extremely hard to identify all the parties responsible. No Hospital staff member was involved in posting the file to the website. We will continue to take aggressive action to hold all responsible parties accountable.
The New York Times has meanwhile reported that -
an e-mail sent to a victim of the breach, the billing contractor, Joe Anthony Reyna, president of Multi-Specialty Collection Services in Los Angeles, explained that his marketing vendor, Frank Corcino, had received the data directly from Stanford Hospital, converted it to a new spreadsheet and then forwarded it to a woman he was considering for a short-term job.

The position was with Mr. Corcino’s one-man shop, Corcino & Associates, Mr. Reyna wrote in the e-mail, which was authenticated by his lawyer, Ellyn L. Sternfield. The job applicant apparently was challenged to convert the spreadsheet — which included names, admission dates, diagnosis codes and billing charges — into a bar graph and charts, Stanford Hospital officials said.

Not knowing that she had been given real patient data, the applicant posted it as an attachment to a request for help on studentoffortune.com, which allows students to solicit paid assistance with their work. First posted on Sept. 9, 2010, the spreadsheet remained on the site until a patient discovered it on Aug. 22 and notified Stanford.

The hospital, located on the campus of Stanford University in Palo Alto, demanded that the spreadsheet be removed, and the Web site quickly complied. Pressed for time, the job prospect wound up completing the assignment herself and, in the end, did not get hired, Ms. Sternfield said.
Not hiring the contender doesn't make the problem go away, and the claims and counterclaims have become nasty.

The NYT reports that
Mr. Corcino, in his first public statement, attributed the breach to "a chain of mistakes which are far too easy to make when handling electronic data." ...

The Stanford breach was notable for the duration of public exposure, and for spotlighting the vulnerability created by a medical provider’s business relationships with outside parties.

Last week, lawyers filed suit in state court in Los Angeles, seeking certification as a class action and $20 million in damages from Stanford Hospital & Clinics and Multi-Specialty Collection Services, which is known as MSCS. The threat of liability set off a predictable round of finger-pointing.

In written responses to questions, Lisa Lapin, Stanford University’s assistant vice president for university communications, said, “MSCS bears the complete and sole responsibility for the breach.”

Ms. Lapin said the hospital had sent the data in encrypted form to Mr. Corcino, who requested it on behalf of MSCS to analyze a strategy for improving billing collections. She said Mr. Corcino had regularly represented himself as MSCS’s executive vice president and had been Stanford’s “primary contact” during a seven-year relationship. MSCS, a five-person firm that audits hospital accounts to maximize reimbursement, possessed the passwords to unencrypt the data, she said.

“This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS’s contract and is shockingly irresponsible,” the hospital said in a statement.
FRelying on the Casablanca model, various people are expressing shock, distress and amazement -
Ms. Sternfield, Mr. Reyna’s lawyer, said Mr. Corcino had never been an MSCS employee, but rather was paid a monthly fee to drum up business, typically in face-to-face meetings with health care executives. Mr. Reyna, she said, had no knowledge that the Stanford data had been sent to Mr. Corcino, or that he had passed it on.

Mr. Corcino was not authorized to use an MSCS title, Ms. Sternfield said, but she declined to say whether Mr. Reyna was aware of the practice. She acknowledged that Mr. Corcino sometimes used an MSCS e-mail account.

In his e-mail to the breach victim, who shared it with The Times, Mr. Reyna wrote that Stanford had sent the file to Mr. Corcino “for a potential MSCS project that would audit paid accounts to verify that the reimbursement was correct.”

For his part, Mr. Corcino said in a statement that he was an independent contractor but was “the marketing face of the company,” and that MSCS “allowed me to use the title of executive vice president.” He wrote: “Stanford sent the file to me at MSCS, and I imported the data into a spreadsheet that was forwarded to the job applicant as part of a skills test. I did not intend to provide any personal health information in the file. This was a marketing project.”

Without explaining how or why he sent the data to the applicant, Mr. Corcino said MSCS had not trained him properly and faulted Stanford for sending him private information that he did not need. That, he said, was the “first link in a chain of mistakes.”

“I regret that Stanford released a file containing unnecessary information,” Mr. Corcino said, “that MSCS did not have an appropriate training and audit system for the handling of electronic data and that I was not more careful with the file. While Stanford and MSCS left the information in the file I received, it was my mistake to not catch its inclusion and remove the data.”
Oh dear.

The NYT notes that "breaches of private medical data have become distressingly commonplace, with two substantial ones disclosed in the last week alone" -
officials with Florida Hospital reported that three employees had improperly combed through emergency department records of 2,252 patients, apparently to forward information about accident victims to lawyers. The employees were fired, and law enforcement officials are investigating.

Meanwhile, Science Applications International Corporation disclosed that computer backup tapes containing medical data for 4.9 million military patients had been stolen from an employee’s car in San Antonio. The data included Social Security numbers, clinical notes, laboratory test results and prescriptions. The company said the risk of harm was low because retrieving data from the tapes would require specialized knowledge, software and hardware.

The Texas breach is by far the largest since September 2009, when a new federal law began requiring disclosures of medical privacy violations involving at least 500 people. Some 330 such episodes have been tallied, including four others that affected more than one million people each.

Officials at the Department of Health and Human Services said the new reporting requirements had exposed deep vulnerabilities and encouraged renewed vigilance.

“We’re moving in the right direction in terms of a culture of compliance,” said Leon Rodriguez, director of the department’s Office for Civil Rights, which investigates medical privacy cases. “Are there still a lot of problems out there? Yeah, my sense is there are still a lot of problems.”