Cottage Health CEO and President Ron Werft notified hospital administrators of a cyber security breach affecting the protected health information of as many as 11,000 Cottage patients at the hospital’s three main campuses. The breach, he said, took place between October 26 and November 8.
“As a result of the server being exposed, search engines including Google and Bing indexed a limited amount of PHI [protected health information],” Werft wrote. “We immediately requested that the information be removed and have confirmed the information was taken down last week.” That information, he said, included patients’ names, addresses, Social Security numbers, and medical information relating to diagnosis and prognosis.
Werft stated there was no information to indicate any of this information has been misused, but said the exposure was being tracked by “outside forensic experts” to determine what, if any, impact there’s been. He said the breach was discovered by the hospital’s information security team.
Two years ago, Cottage reported a possible breach affecting the records of 32,500 patients that took place between October and December 2013. Going back to 2009, Cottage reported as many as 18,000 more could have been involved. Werft stated that Cottage hopes to engage the services of a new information technology management team on a consulting basis, while also looking for a new Chief Information Officer. After that, he announced, Cottage would begin looking for a new director of technology operations.
In the meantime, any patients concerned about their records have been advised to call Cottage’s identity protection services at 1-877-866-6056 or visit the webpage. Werft’s announcement comes shortly after the Santa Barbara County Public Health Department reported a more limited records breach of its own.