A Look Back: $4.1 Million Settlement

Veriphyr proactively reports impermissible use of PHI the first time it happens.



20,000 people visited the Stanford Hospital emergency room between March 1st, 2009 and August 21st, 2009. Each one of them had their protected health information (PHI) publicly visible for over a year. Exposed information included medical record numbers, hospital account numbers, billing charges, and emergency room admission and discharge dates.

How did this happen?

Stanford Hospital sent the PHI to a subcontractor, Multi-Specialty Collection Services LLC. This company then sent the data to a third party website for help making a graph. Corcino & Associates, the website which received the PHI, then posted the information online.

Thankfully, there were no resulting reports of identity fraud.

Today, less than a third of hospitals are insured against privacy breaches like the one Stanford faced in 2010. As a result, many hospitals are vulnerable to the rising costs of lawsuits.


The Lawsuit

Shauna Springer, on September 28, 2011, filed a $20 million class action lawsuit on behalf of the others whose PHI was exposed. The $20 million included $1,000 per patient, other penalties, damages, and attorneys’ fees.

The charge was that Stanford Hospital and Clinics and Multi-Specialty Collection Services violated California’s Confidentiality of Medical Information Act (CMIA). CMIA states that healthcare providers must obtain consent from the patient before disclosing PHI.

Stanford fought and placed blame instead on Multi-Specialty Collection Services for sending the data to a third party. A 2018 study by the Ponemon Institute found that reducing the role of all third parties significantly reduces the cost of data breaches.

Proper steps were taken by Stanford Hospital by sending the PHI to Multi-Specialty Collection Services in an encrypted format.


The Resulting Settlement

Stanford was, for that reason, exonerated. However, Stanford Hospital and Clinics and Multi-Specialty Collection Services LLC agreed to $4.125 million settlement.

Of the $4.125 million, Stanford agreed to pay $750,000 to properly train all staff and business associates on the rules involving PHI. Multi-Specialty Collection Services and Corcino and Associates will pay the other $3.3 million.

Each patient exposed will receive about $100.

By today’s standards, $4.125 million is tiny. Anthem Inc. recently settled its privacy breach for $115 million.



(a) The Mercury News – October 3, 2011

(b) HIPAA Journal – March 20, 2014