A Santa Barbara Cottage Hospital patient is suing the health-care giant for negligence and violating medical confidentiality laws after safeguards protecting the personal information of 32,500 patients were removed last December and some of the information appeared online. The class-action lawsuit filed by Kenneth Rice seeks nominal damages of $1,000 per patient.
On December 12, Cottage notified its patients that a third-party vendor, InSync — a codefendant in the suit — removed “electronic security protections” from one of its servers. Medical files containing the name, address, and date of birth of patients were exposed, including “very limited personal health information” — diagnosis, lab results, and procedures performed — for some patients. The files did not include Social Security numbers, according to a statement issued by Cottage, and there is “no reason to suspect that the limited data exposed might be misused.”
But according to Los Angeles–based lawyer Brian Kabateck, the law does not require the affected patients to prove actual harm. “The mere releasing of information is enough to make them eligible [for the class-action lawsuit],” he explained. About six other patients have contacted him. “You can’t close the barn door once the cow has gotten out,” added Kabateck, who has worked on legislation to protect patients from such breaches. He claimed that the records were in an unencrypted cloud server accessible for two months (September 29 – December 2) by “any 14-year-old” who surfed the web. “This is a reoccurring problem,” Kabateck went on. “Hospitals are being careless — using outside vendors, not encrypting data, and not using password protections.”
In response, Cottage issued this statement: “Cottage takes its obligation to protect health information very seriously. We have notified the patients involved in the recent data disclosure and will continue to investigate the unique circumstances that led to this event. However, we are unable to comment on an active lawsuit.”