HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cottage Health System Security Audit Reveals 11K-Record Data Breach

Cottage Health System notified 11,000 of its patients on Tuesday to advise them that some of their Protected Health Information (PHI) was exposed as a result of a server incident that occurred in late October, 2015.

For 14 days, patients had their Social Security numbers, details of medical diagnoses and procedures, and their names and addresses exposed as a result of protections being removed from a server. A statement released by Cottage Health indicates no financial information or Driver’s license numbers were exposed in the incident

The security breach was discovered on 8th November and resulted in the affected server being taken offline and secured. Upon investigation, Cottage Health determined that patient data first became accessible on October 26, 2015.

An external computer forensics firm has been contracted to conduct a full investigation into the security breach to determine whether any of the data were accessed during the period they were accessible. At this present moment in time, no information has been released to indicate whether the security breach was caused by an external third party or an internal error.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It does not appear that any data have been accessed during the time they were accessible, although the full forensic investigation should clarify this, as well as the level of risk faced by affected patients.

Santa Barbara-based Cottage Health System serves patients in Southern California through its network of 5 hospitals: Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital, Cottage Children’s Medical Center, Santa Ynez Valley Cottage Hospital and Cottage Rehabilitation Hospital. This is not the first time its patients have had their privacy violated as a result of a server incident of this nature.

Two years ago, the health system discovered server protections had been inadvertently turned off. That security breach was the result of an error made by one of the health system’s business associates, InSync Computer Solutions, Inc. The security breach was initially thought to have affected 32,500 patients, although a further 18,418 patients were subsequently discovered to have also been affected. As a result of the removal of security protections, patient PHI was indexed by Google.

A lawsuit was filed against the health system for the exposure of patient PHI, which Cottage Health settled for $4.125 million. A large proportion of that settlement was due to be paid by the health system’s insurance company, Columbia Casualty. However, Columbia Casualty sued Cottage Health claiming numerous security failures contributed to the cause of the breach. The insurance policy required Cottage Health to implement a number of controls to reduce risk.

While Columbia Casually attempted to get out of covering the settlement, the lawsuit was thrown out in July 2015.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.