My alma mater, Stanford University, is awaiting final judicial approval of a $4 million settlement in a class action suit over its 2011 data breach. Each of the 20,000 class members — whose confidential medical records were left up online for almost a year — will receive $100 and Stanford Hospital & Clinics will fund a $500,000 educational program to help prevent similar breaches in the future.
The question, however, is who the program will educate. Stanford alleges that they sent the information in an encrypted spreadsheet to a billing subcontractor, Multi-Specialty Collection Services LLC. At some point thereafter, the information was posted to the website Student of Fortune, a “homework help” site, by a person or persons looking for a contractor to turn it into a graph. In August 2011, a patient whose data was posted to the site alerted Stanford to its existence.
Though this may be the biggest medical data breach settlement to date, it’s hardly the biggest breach. Just last week, a computer theft at billing contractor Sutherland Healthcare Solutions left more than 200,000 people’s data in jeopardy. It just goes to show that, no matter how secure your own systems and processes are, if you’re not making sure your vendors are up to the same standards, you still might be liable for a data breach.