Major data breach at Stanford Hospital
A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."
This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.
To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.
The Times correctly pointed out that contract language alone is not enough, and that significant due diligence by each provider is required. Certainly, employee training for both the hospital and the business associate-type contractors is absolutely essential. Relating the seriousness and gravity of health information privacy breaches should be a key element of such training. However, having a clear termination right and a strong contractual obligation to indemnify the provider in the event a vendor causes a major breach like the one at Stanford Hospital, is a good start.
We frequently see vendor agreements either without such an indemnification clause or with severe caps on vendor's liability. The latter is often limited to one year's worth of fees, or, in a better scenario, all fees paid by provider to vendor under the agreement. However, in case of a major breach caused by a vendor, such caps would not allow a provider to recover its costs and damages in dealing with the breach. Therefore, carve-outs to vendor's limitation of liability in connection with vendor's own breaches of PHI or other confidential information are crucial.
Stanford Hospital may be exposed to significant fines under both federal and state privacy laws. In fact, another Stanford hospital (Packard Children's) was slapped with a $250,000 fine under California law for failing to report a breach within 5 days. However, such regulatory expenses are just the tip of the iceberg: Stanford Hospital will have to spend a lot more on investigations, legal expenses, staff time, and, possibly, credit monitoring for the affected individuals.
For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.
"Patient Data Posted Online in Major Breach of Privacy," The New York Times (September 8, 2011).
"Stanford Hospital Suffers Comically Stupid Patient Data Leak," Gawker.com (September 8, 2011).
HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.
On the heels of 
In a highly anticipated move, on December 1, 2010, the Federal Trade Commission (FTC) released its report and recommendations regarding protecting personal information gathered online. The FTC recommended moving away from self-regulation by the industry towards a more European, “privacy-by-design” approach, which offers a much greater degree of protection to individuals, including by requiring businesses collecting data online to build privacy protections into their everyday business practices and retain data on consumer preferences and online browsing activity only as long as needed and deleting data on a regular basis. 
A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals: on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.
According to a new study by the Center for Studying Health System Change, less than 7% of U.S. physicians communicate with their patients via e-mail. According to the 
Post & Schell, in collaboration with 
In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:
Our own Steve Fox was interviewed by 
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 
The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a 
In November of 2009, health insurance provider HealthNet 
Breaches are not always caused by lost laptops or hackers. They often result from simple errors by the hospital's or another provder's own staff. In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County. Via 
Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations. FTC is to begin enforcement of the Rule on June 1, 2010. Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA. According to 
The Wall Street Journal devoted the front page of its "Marketplace" section to a 
Back in January, we .gif){kind=logo}
The Office of National Coordinator for Health IT (ONC) _1269459243447.jpeg){kind=tracking}
Javelin Strategy & Research survey 
Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.
According to .jpg)
There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:.gif){kind=logo}
On September 15, 2009, the HIT Standards Committee .gif){kind=logo}
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 