As noted in the October 6, 2011, posting by Alan Goldberg on the American Health Lawyers Association Health Information Technology listserv available at hit@lists.healthlawyers.org, affectionately called the HIT List, referring to a New York Times article and a Mercury News article, Stanford Hospital and Clinics is facing a $20 million class action suit for a breach of data regarding 20,000 emergency room patients.

According to information from all three of these sources, the chain of events that led to the originally encrypted data ending up on a website open to the public demonstrates what I have said all along about the main problem being people and not technology. Apparently, Stanford had encrypted the data and properly sent it to a company called Multi-Specialty Collection Services. The company produced an electronic spreadsheet, which included names, admission dates, diagnosis codes, and billing charges but no credit card information or Social Security numbers, that was forwarded as part of a skills test to a job applicant, who sought help making the data into a graph by posting the spreadsheet on a public website, StudentofFortune.com, where the information was available to the public for a year or so. Stanford immediately upon learning of the breach had the information removed from the website and arranged for identity theft protection for the victims of the breach, thereby mitigating damages.

For those of you wondering how a plaintiff could bring a law suit regarding health information without having a state attorney general bring the lawsuit in federal court on behalf of the plaintiff, you would be correct if the lawsuit were based on HIPAA. This law suit against Stanford, however, apparently alleges that the hospital violated the Confidentiality of Medical Information Act, a California state law that requires medical providers to safeguard patient information and prohibits its disclosure without written consent.