Santa Barbara Health-Care Winners and Losers

The past week blew both exceptionally hot and cold for the two biggest players on Santa Barbara’s health-care stage. Sansum Clinic administrators ended months of nonstop nail-biting for 7,000 Affordable Care Act patients who weren’t sure they’d have any insurance coverage at all come New Year’s Day after their provider ​— ​Anthem Blue Cross ​— ​announced this summer it was pulling out of Santa Barbara County. But Sansum announced last week that it had signed a contract with Blue Shield ​— ​after months of negotiations ​— ​to fill the void created by Anthem’s departure.

For Cottage Health, however, the headlines were not nearly so rosy. Right before Thanksgiving, California Attorney General Xavier Becerra announced Cottage had agreed to pay a $2 million settlement for repeated security problems afflicting patients’ medical records.

The Cottage settlement brings to a close what Becerra’s office termed a series of system-wide security failures that left the records of 50,000 patients exposed to internet access between 2011 and 2013 and another 4,500 exposed in 2015. According to the allegations filed against Cottage in Santa Barbara Superior Court, Cottage “failed to employ basic security safeguards, leaving vulnerable software unpatched or out of date, using default or weak passwords and lacking sufficient perimeter security, among many other problems.”

In the initial breach, the security shortcoming left the medical records of 50,000 surgery patients exposed to internet perusal. The server used by Cottage to store this data was allegedly not password protected or secured behind a firewall. Files, the complaint alleged, “could be accessed without a verified user name and password.” According to the Attorney General’s complaint, “the data was exfiltrated off the server hundreds of times.” In November 2015, another breach was discovered, this one involving another Cottage server that was also unprotected by any firewall. Not only was medical information exposed in this instance, but so too were patients’ Social Security numbers.

In response, Cottage Health issued a prepared statement reading, “Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way.” Cottage also stated it has since strengthened its security system, adding layers of protection, “including new systems for monitoring, firewalls, network intrusion detection and access management protocols to help protect private data.”

It should be noted that many health-care institutions have struggled with security challenges in the wake of new federal regulations mandating electronic record keeping. Trade publications specializing in data management and security issues report a steady rise in security breaches accompanied by an increase in enforcement actions initiated by state and federal agencies. In this context, the $2 million Cottage will pay is a lot, but it’s by no means exceptional. In addition to this settlement with Becerra, Cottage has already paid $4.1 million to settle a civil lawsuit filed by affected patients.

In the meantime, Sansum administrators are heaving big sighs of relief that they managed to work out a deal with Blue Shield that will provide individual insurance policies, as mandated by the Affordable Care Act (ACA), to 7,000 patients initially provided by Anthem Blue Cross. Come January 1, 2018, Santa Barbara will be one of six counties in California with only one insurance provider offering individual plans under the ACA.

Anthem has been circumspect as to its reasons but announced this summer it was leaving 16 of the 19 California counties in which it’s been operating, citing the high cost of business and market uncertainties. The latter refers to efforts by the Trump administration first to repeal the Affordable Care Act and then to destabilize it. Initially, the White House and the Republican leadership in Congress sought to undermine the federal subsidies that make the Affordable Care Act remotely affordable. (For a 60-year-old who qualifies for the subsidies, an individual insurance plan can be had for as little as $1 a month. By contrast, the same 60-year-old who doesn’t qualify for subsidies would have to pay nearly $800 a month.) When that failed, the Republicans included language in their tax reform bill that would eliminate the individual insurance mandate. Without that, younger and healthier individuals would have less incentive to buy insurance, thus leaving the system to the older and sicker to economically sustain.

Nationally, counties with only one provider selling individual plans are small and typically located in red states. Santa Barbara is clearly neither. Insurance brokers speculate the high cost of medical care in a market dominated by just one hospital ​— ​Cottage in South County and Marian Regional Medical Center in the north ​— ​drove up the costs of care well past Anthem Blue Cross’s profit margin of 2 percent. Peter Lee, head of Covered California, also cited such monopolies as a reason for Anthem’s departure when he was in town beating the drum for new enrollments three weeks ago.

Insurance broker David Peters termed the Sansum–Blue Shield agreement “huge,” adding, “It felt like a deal that had to happen, but then I’ve seen lots of deals ‘that had to happen’ not happen.” Peters said he has 600 families he now has to transfer from Blue Cross to Blue Shield by December 15. To date, he said, he’s managed to get 67 transferred. To get the rest switched before their coverage temporarily lapses, he said, would be a “logistical impossibility.” To make the deal work, he added, Blue Shield cut the commission that brokers would otherwise have received by 60 percent.

Peters said a handful of other brokers have already asked him to take over their clients. Roger Perry, another well-known broker, said he doesn’t expect any hitches in transferring clients from Anthem to Blue Shield, but he did say prices are going up. One woman with a 2-year-old child, he said, will have to pay 33 percent more to get her child covered by Blue Shield. On average, Perry said, the rates will go up by 10 to 12 percent.