Skip to Main Content

HIPAA Horror Stories

September 28, 2012

In October 2011, the names and diagnosis codes of approximately 20,000 patients of Stanford University hospitals were found posted on “Student of Fortune,” a website that offers students help with homework. Stanford’s investigation revealed that a consultant, who had received the data as part of an engagement, had given it to an applicant as part of a practical job interview process. When the applicant turned to Student of Fortune for help in completing the assignment, s/he uploaded the patient information to their website. At the conclusion of the Department of Health and Human Services (DHHS) Office of Civil Rights’ (OCR’s) investigation, the contractor might be subject to fines of as much as $1,500,000. A number of patients have already filed suit against Stanford Hospital, seeking a collective settlement of $20,000,000, under California’s medical record privacy law. In addition, Stanford’s “Business Associate” might be liable for damages if any of the patients prevail in civil suits.

M.D. Anderson
In June 2012, an unencrypted laptop computer containing Protected Health Information belonging to 30,000 patients was stolen from the home of a physician-researcher at M.D. Anderson Cancer Center. The data included medical record numbers, patient names, social security numbers, and clinical information. It included records going back more than ten years. No announcement has yet been made regarding fines or other penalties. However, depending on the results of the investigation of the primary HIPAA enforcement agency, the DHHS OCR, and the timing and circumstances of the data collection, fines might range from $300,000 to $4,000,000; not including damages from civil suits, if any, if patients were harmed as a result of the incident.

Memorial Sloan-Kettering
In June 2012, a PowerPoint presentation containing Protected Health Information was discovered
to have been posted, for more than five years, on the Internet. The presentation, which was intended for use by members of two professional medical organizations, was created by Memorial Sloan-Kettering staff. The presentations could be located through searches of patients’ names. However, the patient information was obscured by graphs and other illustrations, and was therefore visible only if the images were manipulated; e.g., by downloading and enlarging them. No penalties have yet been announced. However, OCR might impose fines of $100 to $50,000 for each record posted. Additional penalties, including civil damages, might also apply.

St. Louis Plastic Surgery Practice
In August 2012, a St. Louis plastic surgeon posted before-and-after photographs of thirty women who had undergone breast augmentation, on her website. Though their faces were obscured, the patients sued for negligence when they discovered that the pictures included identifying information, and that the site could be located simply by searching for the patients’ names. Ten of the patients have filed suit for invasion of privacy, seeking unspecified damages. OCR’s investigation is still pending.

Submitted by Deborah Lyman on September 28, 2012