- Nearly 11,000 patients have had their health information breached in a recent healthcare data breach at Cottage Health in California.
According to a hospital statement, an outside IT security contractor was testing the provider’s data systems when it discovered a server that had been breached. The contractor has since shut down the server.
Potentially disclosed information includes patient names, addresses, Social Security numbers, and health information such as diagnosis or procedure. No other financial or billing information was included in the breach.
Potentially affected individuals include those receiving care at Goleta Valley Cottage Hospital, Santa Barbara Cottage Hospital, and Santa Ynez Valley Cottage Hospital.
According to Cottage Health, this information was exposed between October 26 and November 8 of this year. Since then, the provider has issued data breach notification letters to potentially affected individuals. These letters were sent on December 1.
Cottage Health has also offered those individuals a free, one-year subscription to a credit monitoring service.
Cottage Health also advised potentially affected individuals to put a fraud alert on their credit files due to the fact that Social Security numbers had been compromised.
Despite its precautionary actions and advisories, Cottage Health took special notice to emphasize that receiving a data breach notification letter does not necessarily mean that an individual has been the victim of identity theft. Additionally, the healthcare system states that it has no reason to believe that the information has been misused.
Cottage Health is no stranger to health data breaches. In 2013, the healthcare system fell victim to a healthcare data breach that potentially affected nearly 32,755 individuals. This breach occurred after a third party vendor removed certain security precautions from Cottage Health’s databases and information was exposed on Google.
Potentially compromised information included patient names, addresses, dates of birth, and some PHI such as patient diagnosis, lab results, and procedures performed. In this instance, no Social Security numbers or other billing and financial information had been breached.
In the aftermath of this healthcare data breach, Cottage Health faced a class-action lawsuit that would have cost them some $4.1 million.
To counter these kinds of settlements following data breaches, many healthcare systems enlist data security insurance. Provided a health system follows the provisions in a certain contract, the insurance will help alleviate these settlement costs.
However, in the case of Cottage Health, its insurer, Columbia Casualty Co., claimed that the health system had not entirely adhered to the contract, and therefore the insurer did not need to pay the settlement.
In a 2015 countersuit filed by Columbia Casualty Co., the insurer claimed that Cottage Health failed to “follow minimum required practices.”
Columbia Casualty Co. also argues that Cottage Health did not truthfully answer “Risk Control Self Assessment” questions, which is also grounds for a breached contract.