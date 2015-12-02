Advice

As many as 11,000 patients affected after security audit found a single computer server exposed

Cottage Health’s efforts to protect the confidentiality of hospital patient records suffered a setback earlier this fall when one of its computer servers was found to be exposed to possible outside access.

In a statement released Wednesday afternoon, Cottage Health officials said limited information from as many as 11,000 patients was exposed.

Cottage Health employees were advised of the breach earlier in the day.

“Cottage Health recently hired a team of cyber security experts to test our data systems,” the statement said. “This team discovered a single server that was exposed. We immediately shut down this server and began an investigation.”

The information exposed on the server included names, addresses, Social Security numbers and limited medical information such as diagnoses and procedures performed, hospital officials told Noozhawk.

Letters were mailed out Monday to patients whose protected information may have been exposed between Oct. 26 and Nov. 8, and were expected to begin arriving in mailboxes on Thursday.

Affected patients are being offered free identity-theft protection services, along with information and resources relating to detecting and preventing identity theft.

In addition, Cottage Health has set up a call center with experts available to answer questions from concerned patients. The number — 877.866.6056 — can be called from 6 a.m. to 6 p.m. Pacific time Monday through Friday.

“Our patients place their trust in us, and it is our responsibility to protect their privacy,” said Ron Werft, Cottage Health president and CEO.

“We take that very seriously. We deeply regret this incident and will be working with our new IT security experts to deploy more safeguards in our system and protect patient data using industry-leading technology.”

In answer to questions from Noozhawk, a Cottage Health spokeswoman said there is no evidence that any information from the exposed server has been used for any unauthorized purpose.

“There is no indication that the data has been or will be misused,” the spokeswoman said. “We discovered the exposed data and moved quickly to remove the server and all data has been removed from Google’s index.”

Cottage Health experienced a similar but larger data breach in late 2013, an opening that exposed confidential information from as many as 50,000 patients.

In the 2013 incident, Cottage notified some 32,500 patients that their information may have been exposed by a data breach that occurred between Oct. 8 and Dec. 2 of that year.

Cottage subsequently notified another 18,000 patients about potential exposure during an expanded period — Feb. 20, 2009, to Dec. 2, 2013.

At the time, Cottage officials stressed that there was no evidence to suggest that anyone had used the information contained on the exposed server in any way.

The nonprofit Cottage Health operates Santa Barbara Cottage Hospital and its affiliated Cottage Children’s Medical Center and Cottage Rehabilitation Hospital, Goleta Valley Cottage Hospital and Santa Ynez Valley Cottage Hospital.

It has 583 licensed beds and employs more than 2,900 people, according to the Cottage Health website.

In 2014, Cottage Health facilities handled 117,653 outpatient visits, 71,775 emergency visits, 19,954 patients admitted, and 14,193 surgeries.

