Cottage Health System Security Audit Reveals 11K-Record Data Breach

Share this article on:

Cottage Health System notified 11,000 of its patients on Tuesday to advise them that some of their Protected Health Information (PHI) was exposed as a result of a server incident that occurred in late October, 2015.

For 14 days, patients had their Social Security numbers, details of medical diagnoses and procedures, and their names and addresses exposed as a result of protections being removed from a server. A statement released by Cottage Health indicates no financial information or Driver’s license numbers were exposed in the incident

The security breach was discovered on 8th November and resulted in the affected server being taken offline and secured. Upon investigation, Cottage Health determined that patient data first became accessible on October 26, 2015.

An external computer forensics firm has been contracted to conduct a full investigation into the security breach to determine whether any of the data were accessed during the period they were accessible. At this present moment in time, no information has been released to indicate whether the security breach was caused by an external third party or an internal error.

It does not appear that any data have been accessed during the time they were accessible, although the full forensic investigation should clarify this, as well as the level of risk faced by affected patients.

Santa Barbara-based Cottage Health System serves patients in Southern California through its network of 5 hospitals: Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital, Cottage Children’s Medical Center, Santa Ynez Valley Cottage Hospital and Cottage Rehabilitation Hospital. This is not the first time its patients have had their privacy violated as a result of a server incident of this nature.

Two years ago, the health system discovered server protections had been inadvertently turned off. That security breach was the result of an error made by one of the health system’s business associates, InSync Computer Solutions, Inc. The security breach was initially thought to have affected 32,500 patients, although a further 18,418 patients were subsequently discovered to have also been affected. As a result of the removal of security protections, patient PHI was indexed by Google.

A lawsuit was filed against the health system for the exposure of patient PHI, which Cottage Health settled for $4.125 million. A large proportion of that settlement was due to be paid by the health system’s insurance company, Columbia Casualty. However, Columbia Casualty sued Cottage Health claiming numerous security failures contributed to the cause of the breach. The insurance policy required Cottage Health to implement a number of controls to reduce risk.

While Columbia Casually attempted to get out of covering the settlement, the lawsuit was thrown out in July 2015.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On