Thursday, May 26 , 2016, 8:28 pm | Fair 62º

Cottage Health System Data Breach May Have Impacted 18,000 More Patients Than First Suspected

By Lara Cooper, Noozhawk Staff Writer | @laraanncooper |

A data breach of protected health information at Cottage Health System may have impacted thousands more patients than initially suspected.

Last year, Cottage Health System discovered that one of its servers had the electronic protections disabled, resulting in the exposure of certain information, according to a letter sent to patients.

Cottage recently discovered that approximately 18,000 additional patients may have been impacted by the data exposure, beyond the initial 32,500 notified in December 2013.

A class-action lawsuit was filed against Cottage Health System, claiming that the confidential information of more than 32,000 patients was put online for anyone to read, and was public for almost two months before the hospital system noticed.

The lawsuit also names inSync, a Laguna Hills-based company responsible for putting the records in a secure location online.

Brian Kabatek, one of the attorneys representing the class-action plaintiffs, told Noozhawk he believes the new patients are part of the same security breach and that his firm is working to discover what that will mean for the lawsuit.

"This may, however, be much bigger than we originally thought," he said.

The 15-page complaint filed earlier this year states that between Oct. 8 and Dec. 2 of 2013, the confidential medical records of about 32,500 patients affiliated with the Cottage Health System were negligently disclosed and released to the public on the Internet.

In early July, Cottage sent out more letters to patients, acknowledging that their information could be a part of the data breach as well. The time frame also expanded, including patients who sought treatment at any of the three hospitals between Feb. 20, 2009, and Dec. 2, 2013.

Cottage officials say there is no evidence to suggest that anyone has used the information contained on this server in any way.

The potentially exposed files contained information including the name, address, date of birth and very limited protected health information for some patients related to diagnosis, lab results and procedures performed, Cottage officials have said.

The files did not include any Social Security numbers, driver's license numbers, health insurance numbers, bank account numbers or any other financial information, and officials with the health organization maintain that they immediately removed the server from service and conducted a review of all servers to ensure that appropriate security measures are in place.

“We deeply regret this incident," Steve Fellows, Cottage Health System's executive vice president, COO and chief compliance officer, said in a statement. "Cottage takes its obligation to protect health information very seriously and is taking aggressive steps to safeguard against this type of incident in the future."

Cottage is encouraging patients with questions regarding whether their protected health information may have been exposed to contact ID Experts at 877.846.7856.

Noozhawk staff writer Lara Cooper can be reached at .(JavaScript must be enabled to view this email address). Follow Noozhawk on Twitter: @noozhawk, @NoozhawkNews and @NoozhawkBiz. Connect with Noozhawk on Facebook.

Reader Comments

Noozhawk's intent is not to limit the discussion of our stories but to elevate it. Comments should be relevant and must be free of profanity and abusive language and attacks.

By posting on Noozhawk, you:

» Agree to be respectful. Noozhawk encourages intelligent and impassioned discussion and debate, but now has a zero-tolerance policy for those who cannot express their opinions in a civil manner.

» Agree not to use Noozhawk’s forums for personal attacks. This includes any sort of personal attack — including, but not limited to, the people in our stories, the journalists who create these stories, fellow readers who comment on our stories, or anyone else in our community.

» Agree not to post on Noozhawk any comments that can be construed as libelous, defamatory, obscene, profane, vulgar, harmful, threatening, tortious, harassing, abusive, hateful, sexist, racially or ethnically objectionable, or that are invasive of another’s privacy.

» Agree not to post in a manner than emulates, purports or pretends to be someone else. Under no circumstances are readers posting to Noozhawk to knowingly use the name or identity of another person, whether that is another reader on this site, a public figure, celebrity, elected official or fictitious character. This also means readers will not knowingly give out any personal information of other members of these forums.

» Agree not to solicit others. You agree you will not use Noozhawk’s forums to solicit and/or advertise for personal blogs and websites, without Noozhawk’s express written approval.

Noozhawk’s management and editors, in our sole discretion, retain the right to remove individual posts or to revoke the access privileges of anyone who we believe has violated any of these terms or any other term of this agreement; however, we are under no obligation to do so.

Support Noozhawk Today

You are an important ally in our mission to deliver clear, objective, high-quality professional news reporting for Santa Barbara, Goleta and the rest of Santa Barbara County. Join the Hawks Club today to help keep Noozhawk soaring.

We offer four membership levels: $5 a month, $10 a month, $25 a month or $1 a week. Payments can be made through PayPal below, or click here for information on recurring credit-card payments.

Thank you for your vital support.


Daily Noozhawk

Subscribe to Noozhawk's A.M. Report, our free e-Bulletin sent out every day at 4:15 a.m. with Noozhawk's top stories, hand-picked by the editors.