Medical Privacy Breach Exposes Confidential Information of 20,000 Emergency Room Patients

September 15, 2011

Illinois medical malpractice lawyers at Pintas & Mullins are warning of a major privacy breach that recently occurred at a prestigious California hospital, compromising the confidential data of more than 20,000 emergency room patients. Private information regarding patients' names, discharge dates, and diagnosis codes was exposed for more than a year on a public site. Improperly exposing sensitive medical health information has serious consequences for patients and health care providers who are legally and ethically bound to principles of confidentiality.

The New York Times is reporting on the security failure at Stanford Hospital in Palo Alto, California, which occurred in September 2010. Although the source of the medical data breach is still somewhat unclear, it appears that a third party consultant, Multi-Specialty Collection Services, lost a detailed spreadsheet containing patient names, account numbers, billing information and diagnosis codes. The spreadsheet ended up on a website called Student of Fortune, a tutoring website that used the spreadsheet to show students how to convert data into a bar graph. The confidential patient information remained publicly available for more than a year, until a patient finally discovered it and reported it to the hospital.

The breach could have a significant impact on the hospital and its patients, particularly because the medical data could be used for identity theft purposes. In light of this risk, Stanford hospital is offering free identity protection services to patients. Fortunately, the exposed data did not include patients' social security numbers or credit card information, but it did include enough personally identifiable health information to create serious insurance fraud concerns.

Sadly, breaches like this one are becoming far too common as more and more hospitals shift to electronic records and rely heavily on outside contractors. Many of these hospitals do not have the financial means available to install firewalls on their computers or use encrypted USB drives. Without adequate security measures in place, patient data is always at risk of being exposed. Records from the Department of Health and Human Services show that the private medical data of more than 11 million people has been publicly exposed over the last two years. Nearly 20 percent of these breaches involved outside contractors.

We understand that all patients have the right to have personal, identifiable medical information kept private. Our entire health care system is structured around principles of confidentiality, which encourages open and honest patient-provider disclosures and promotes public health. Ethical codes also require health care professional to practice patient confidentiality. The American Medical Association sets guidelines encouraging physicians and nurses to safeguard patients' privacy, particularly as the use of electronic health records becomes widespread.

Health care professional who fail to respect patients' medical privacy are subject to substantial liability. When a patient's private medical information is released without the patient's permission, the patient can take legal action. Courts are increasingly willing to award damages for patient privacy breaches, based on a national standard of care among the medical community to safeguard medical information.

Health care providers cannot rely on outside contractors to adequately protect private patient information. Regardless of who is ultimately at fault for the breach, the principle health care organization is still responsible for the private information of its patients. In order to avoid liability, medical professionals need to be vigilant and watch over their vendors to ensure that proper safety steps are being taken, rather than simply relying on a legal contract. Our experienced medical malpractice attorneys recognize that we live in an increasingly digitized world, and extra steps need to be taken in order to ensure that patients' private medical information remains protected.