Cottage Health Data Breach (2015)

Nearly 11,000 patients have had their health information breached in a recent healthcare data breach at Cottage Health in California. According to a hospital statement, an outside IT security contractor was testing the provider's data systems when it discovered a server that had been breached. The contractor has since shut down the server. Potentially disclosed information includes patient names, addresses, Social Security numbers, and health information such as diagnosis or procedure. No other financial or billing information was included in the breach. Potentially affected individuals include those receiving care at Goleta Valley Cottage Hospital, Santa Barbara Cottage Hospital, and Santa Ynez Valley Cottage Hospital. According to Cottage Health, this information was exposed between October 26 and November 8 of this year. Since then, the provider has issued data breach notification letters to potentially affected individuals. These letters were sent on December 1. Cottage Health has also offered those individuals a free, one-year subscription to a credit monitoring service. A team of cyber security experts was employed by CH to test data system security. This team recently discovered and shut down a single server that was exposed between October 26 and November 8, 2015. Our investigation revealed that limited information of approximately 11,000 Cottage Health patients was exposed.We are deeply sorry and regret any inconvenience or concern this may cause. We value our patients' trust and will continue rigorous testing of our systems, using the latest technology to safeguard data. Notification letters were mailed to individuals who were potentially impacted, so that we can provide them with identity theft protection services as a precaution. The information involved included names, addresses, social security numbers and limited medical information such as diagnosis and procedure. There is no evidence that driver's license numbers or financial information was compromised.We have hired a third-party computer forensic company to continue the investigation. At this time we have no indication that information was misused.