The ‘Snoopy Float’ Of The PHI Breach Parade

September 30, 2011Articles Law 360

What was the highlight of the Macy’s Thanksgiving Day parade when we were kids? The Snoopy float was probably right up there, along with the Sesame Street and Disney floats. Spectators of the protected health information (PHI) breach parade will be awed by the sight of the recent, somewhat bizarre, business associate (BA) breach involving Stanford Hospital’s emergency room data, as reported in The New York Times by Kevin Sack on Sept. 8, 2011.1

The PHI of 19,651 emergency room patients seen in the Palo Alto, Calif., hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services LLC, to a public website used by students. The publicly posted information included names and diagnoses for patients who visited the emergency room during a six-month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September 2010 as a spreadsheet attached to a document on the website “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."

The PHI breach was purportedly discovered on Aug. 22, 2011, by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests the PHI was: (1) not recognized as “real” by viewers, (2) not thought by viewers to be worth noting or reporting, and/or (3) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial.

Nonetheless, the volume of patients affected, the sensitivity of the PHI data, the apparent lack of sufficient care by the BA and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available website combine to make an attention-grabbing PHI breach event (the Snoopy float).

Also reported on a New York Times blog site by Nick Bilton on Sept. 8, 2011,2 Sen. Richard Blumenthal, D-Conn., introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, which, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Sen. Blumenthal was previously highlighted on our blog, http://hipaahealthlaw.foxrothschild.com , for his groundbreaking activities as attorney general of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, covered entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health and state law requirements.

But back to the Snoopy float. The Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amount of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed?

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son. The mother was quoted as stating her son received psychiatric treatment at Stanford in 2009 and “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."

One can only hope the disclosure of his "fragile" state in a national newspaper will not have a similar effect. Perhaps, in this Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it. The Snoopy float is a good reminder.

A final irony is that Michael Mucha, the Stanford Hospital chief information security officer at the time of the Stanford PHI breach, has written extensively and has been widely quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other covered entities, even with safeguards in place.

This story will undoubtedly have further developments. No additional information, however, was provided in the description of the incident on the U.S. Department of Health and Human Services list of reported large breaches of unsecured PHI affecting 500 or more individuals.

1. Kevin Sack, "Patient Data Posted Online in Major Breach of Privacy," The New York Times, Sept. 8, 2011, final edition (accessed Sept. 9, 2011).

2. Nick Bilton, “Senator Introduces Online Security Bill,” The New York Times, Sept. 8, 2011, final edition (accessed on Sept.9, 2011).

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or Portfolio Media, publisher of Law360. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

All Content © 2003-2011, Portfolio Media, Inc.