A data breach of protected health information at Cottage Health System may have impacted thousands more patients than initially suspected.
Last year, Cottage Health System discovered that one of its servers had the electronic protections disabled, resulting in the exposure of certain information, according to a letter sent to patients.
Cottage recently discovered that approximately 18,000 additional patients may have been impacted by the data exposure, beyond the initial 32,500 notified in December 2013.
A class-action lawsuit was filed against Cottage Health System, claiming that the confidential information of more than 32,000 patients was put online for anyone to read, and was public for almost two months before the hospital system noticed.
The lawsuit also names inSync, a Laguna Hills-based company responsible for putting the records in a secure location online.
Brian Kabatek, one of the attorneys representing the class-action plaintiffs, told Noozhawk he believes the new patients are part of the same security breach and that his firm is working to discover what that will mean for the lawsuit.
"This may, however, be much bigger than we originally thought," he said.
The 15-page complaint filed earlier this year states that between Oct. 8 and Dec. 2 of 2013, the confidential medical records of about 32,500 patients affiliated with the Cottage Health System were negligently disclosed and released to the public on the Internet.
In early July, Cottage sent out more letters to patients, acknowledging that their information could be a part of the data breach as well. The time frame also expanded, including patients who sought treatment at any of the three hospitals between Feb. 20, 2009, and Dec. 2, 2013.
Cottage officials say there is no evidence to suggest that anyone has used the information contained on this server in any way.
The potentially exposed files contained information including the name, address, date of birth and very limited protected health information for some patients related to diagnosis, lab results and procedures performed, Cottage officials have said.
The files did not include any Social Security numbers, driver's license numbers, health insurance numbers, bank account numbers or any other financial information, and officials with the health organization maintain that they immediately removed the server from service and conducted a review of all servers to ensure that appropriate security measures are in place.
“We deeply regret this incident," Steve Fellows, Cottage Health System's executive vice president, COO and chief compliance officer, said in a statement. "Cottage takes its obligation to protect health information very seriously and is taking aggressive steps to safeguard against this type of incident in the future."
Cottage is encouraging patients with questions regarding whether their protected health information may have been exposed to contact ID Experts at 877.846.7856.