Cottage Hospital administrators notified 32,500 patients that the security protections limiting outside access to their health records had been removed by a third-party vendor, posing the possibility that the contents of these records may have been breached. “At this time, there is no evidence to suggest that anyone has used the information stored on the server,” stated Steven Fellows, Cottage executive vice president.
According to Fellows’s memo, the files in question contained the medical records of up to 32,500 patients who’d been treated at Cottage’s Goleta, Santa Ynez, and Santa Barbara centers between September 29, 2009 and December 2, 2013. According to Fellows, the files contained no financial information, drivers licenses, or Social Security numbers. They did, however, contain some medical details relating to diagnosis, lab test results, and procedures performed.
Cottage spokesperson Maria Zate stated in a press release that the vendor has since been terminated and that Cottage is conducting an audit of security protocols to determine whether other breaches may have occurred. To date, she said, there’s no evidence to suggest that’s happened.
Zate said the hospital learned that the vendor removed the electronic security device without notifying Cottage when an unnamed third party left a voicemail on Cottage’s phone system, alerting hospital administrators that health details relating to one patient had surfaced during a Google search.
Cottage mailed the notice last Friday and has received some calls back, said Zate, “But the phones haven’t been ringing off the hook.” She said Cottage is offering a range of remedial security services for any patients who are interested.