Stanford University Hospital & Clinics recently agreed to settle a lawsuit filed against the hospital and two former vendors that were involved in a large breach of confidential patient information. The hospital and the two vendors will pay over $4.1 million to settle a class action alleging that the three entities violated a California privacy law by allowing the medical information of approximately 20,000 emergency room patients to be posted on a public website for nearly a year.

The hospital released a statement which stressed that Federal and state agencies had reviewed its actions, including its security and privacy safeguards, and determined there was no violation on its part. The two vendors have agreed to pay $3.3 million of the total $4.125 million settlement.

Shortly after the complaint was filed in 2011, the hospital placed the blame on the first vendor, a collection and billing firm called Multi-Specialty Collection Services (MSCS). The hospital said it properly sent the medical information to MSCS in an encrypted format. An electronic spreadsheet created by MSCS was then allegedly sent to the second vendor, Corcino & Associates, for help in creating a graph. The spreadsheet was later posted to a student "homework help" website, where it remained for nearly a year.

The lawsuit alleged that the breach violated the California Confidentiality of Medical Information Act. It is not clear whether the breach also represented a HIPAA violation. There is no private right of action under HIPAA, which is largely enforced by the Office for Civil Rights (OCR) within the Health and Human Services Department (HHS). However, breaches of protected health information can also violate state laws which doallow patients to sue the responsible parties, as in this case.