Updated October 7, 2011


Electronic Files and Patients' Personal Information Discovered and Removed From Web Site: Summary and Frequently Asked Questions


After a vendor’s electronic file that included certain Stanford Hospital & Clinics (SHC) patient information was discovered on a web site on August 22, 2011, it was removed the next day and SHC began an aggressive investigation.  To learn more about this issue, read our Summary and Frequently Asked Questions. This page will be updated periodically.

Summary

* Multi-Specialty Collection Services, LLC (MSCS) is a vendor that provided business and financial support to SHC.  SHC sent encrypted patient information to MSCS for permissible business purposes, and MSCS was responsible by law and contract for protecting all patient information provided to it for its services.   MSCS decrypted the data and used it to create a spreadsheet, which it then provided to an unauthorized person, who posted it on a student homework website in order to get help creating a bar graph and charts.   SHC immediately suspended all work with the vendor upon discovery of the breach and demanded that MSCS lock down all patient information.  SHC subsequently terminated the vendor relationship. 

* SHC aggressively pursued a comprehensive investigation, which resulted in identifying the person who caused the information to be posted in violation of federal law and SHC’s contract.  The individual who created the spreadsheet was SHC’s primary contact at MSCS and MSCS’s executive vice president.  SHC has learned that his relationship with MSCS was that of an independent contractor. 

* The vendor’s file, which was posted on September 9, 2010, had limited information about 20,000 patients treated in SHC’s Emergency Department from March 1 through August 31, 2009. The information included the patient’s name, medical record and hospital account numbers, an emergency department admission/discharge date, diagnosis codes related to the emergency department visit, and billing charges.

* Information generally associated with identity theft, such as credit card and social security numbers, was not published on the web site or otherwise breached.  

* SHC notified appropriate government authorities and is cooperating fully.  Letters were sent to affected patients informing them of the breach.  Any patient receiving the letter may call 855-731-6016 for assistance with their questions or concerns. 

* While information generally used for identity theft was not compromised, SHC has made arrangements for affected patients to receive free identity protection services if they wish to.

* From Diane Meyer, Chief Privacy Officer at Stanford Hospital & Clinics: “We sincerely apologize for the concern this has caused our patients.  We value the privacy of patient health information and are committed to protecting it at all times. Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients’ information.  We have worked extremely hard to identify all the parties responsible.  No Hospital staff member was involved in posting the file to the website.  We will continue to take aggressive action to hold all responsible parties accountable.

* A purported class action lawsuit was filed in a Los Angeles court. Read Stanford Hospital & Clinics’ response in this statement.


Frequently Asked Questions 

Who posted the patient data to the website? 
The executive vice president of MSCS, a Hospital vendor, created the spreadsheet and gave it to an unauthorized party, who posted it to a homework help website.  The posted question asked how to create bar graphs and charts from data, and included the file in an attachment. 

Why did SHC provide the information to its vendor?
 SHC sent the data to MSCS for permissible hospital billing support purposes.  SHC’s data were encrypted, were sent through SHC’s secure systems, and were solely to be used by MSCS for the business service.   SHC had extremely strict contractual requirements in place with the vendor.  These required MSCS and all those it worked with to safeguard the privacy and security of SHC patient information and to prevent unauthorized disclosure of the information.

Were electronic medical records posted to the website?
No. Despite an inaccurate original report in the New York Times, which has been relied upon by other media, electronic medical records were not posted.  The information in the file was limited to patient name, medical record number, hospital account number, emergency department admit / discharge date, diagnostic codes for the reasons the person was seen in the emergency department, and billing charges.  

Was information such as address or social security number posted?
No. Identifiers such as social security number, addresses, dates of birth, credit or debit card numbers, and insurance coverage information were not posted. 

If I have questions relating to the vendor that caused the information to be disclosed, whom should I contact?
Multi-Specialty Collection Services, LLC, can be contacted at (310) 410-0631. 

I received a letter notifying me of the event but the letter has information about Debix.   Is this letter a scam? 
No, the letter you received is not a scam.  SHC is working with a professional call center and identity protection company called Debix for assistance.  Additionally, SHC is providing free Identity Theft Insurance Coverage and Fraud Resolution Services for affected patients who choose to register for this service.    

Am I at risk for financial identity theft or medical identity theft due to this event?
Typically, personal information other than name is needed to commit financial identity theft or medical identity theft.  Identifiers most often associated with identity theft are addresses, dates of birth, social security number, health insurance information, and credit card and bank account information.  This type of data was not posted to the website.   

What is SHC doing about this incident?
To protect our patients, as soon as SHC became aware of the posting, it took aggressive steps to remove the vendor’s file from the website, and the file was removed the next day.  As described in the Summary above, SHC launched a full investigation and demanded immediate cooperation from its vendor.  SHC suspended all work with the vendor and subsequently terminated the contractual relationship.  SHC also quickly notified law enforcement authorities as well as affected patients.  SHC arranged for identity theft protection services for any affected individuals who wish to use them.

Iíve read in the media that the lawyer for MSCS said Frank Corcino was simply used to "drum up business," and wasnít authorized to use an MSCS title and only on occasion used an MSCS email account. Is that correct?
No. As the communications between Stanford and MSCS during the years of the relationship evidence, Frank Corcino was much more than a business developer. He was Stanford's primary contact at MSCS throughout the course of substantive projects and analyses that MSCS undertook for Stanford. Stanford has documentation showing that Mr. Corcino routinely used an MSCS email account and that MSCSís president, Joe Anthony Reyna, knew of this practice because he was included on many emails. Stanford also has extensive documentation showing that Mr. Corcino regularly used a signature block listing him as MSCSís executive vice president (ďEVPĒ) and that MSCSís president, Mr. Reyna, knew of this practice. Moreover, MSCSís company website -- which it recently disabled -- held out Frank Corcino as MSCSís contact and specifically directed the public to him for MSCS services.

Iíve read in the media that MSCS says Frank Corcino was acting through Corcino & Associates, not MSCS, when he disclosed patient data to an unauthorized third person. Is this true?
Despite repeated opportunities to substantiate its position, MSCS has provided no evidence whatsoever for the assertion that this act was taken through Corcino & Associates. To the contrary, Mr. Corcinoís communications with the third-party regularly used his MSCS account and his signature block as MSCS executive vice president, just as he did in correspondence with Stanford.

Iíve read in the media that Frank Corcino said Stanford sent him information that he did not need. Can you explain this?
Stanford has documentation that clearly shows that Mr. Corcino, using his MSCS title and email, explicitly requested the data that were provided so that MSCS could conduct the work.


About Stanford Hospital & Clinics
Stanford Hospital & Clinics is known worldwide for advanced treatment of complex disorders in areas such as cardiovascular care, cancer treatment, neurosciences, surgery, and organ transplants. It is currently ranked in the top 20 on the U.S. News & World Report’s "America's Best Hospitals" list and No. 1 in the San Jose Metropolitan area.  Stanford Hospital & Clinics is internationally recognized for translating medical breakthroughs into the care of patients.  The Stanford University Medical Center is comprised of three world renowned institutions: Stanford Hospital & Clinics, the Stanford University School of Medicine, the oldest medical school in the Western United States, and Lucile Packard Children's Hospital, an adjacent pediatric and obstetric teaching hospital providing general acute and tertiary care. For more information, visit http://stanfordhospital.org/.

Stanford Medicine Resources:

Footer Links: