Who Wants to See 32,500 Patient Records?
SANTA ANA, Calif. (CN) - Three Southern California hospitals released confidential records of 32,500 patients to the Internet, patients claim in a class action.
Cottage Health System hospitals in Santa Barbara, Goleta Valley and Santa Ynez Valley were none the wiser when 4 years of patients' records were publicly posted, from Oct. 8 through Dec. 2, 2013, according to the complaint in Orange County Court.
Lead plaintiff Kenneth Rice claims the hospital learned of the "enormous" data breach when a man discovered the records online and contacted one of the hospitals.
Lead defendant Insync, a Laguna Hills-based tech company, created a system for Cottage Health System hospitals to access records over the Internet but did not encrypt the data or take other security measures, Rice claims. So for eight weeks the records were "readily available" to anyone with an Internet connection, Rice says in the complaint.
"The extent of the breach is enormous. This was not a situation where some isolated medical record was disclosed and released on the Internet," the complaint states. "The medical files for 32,500 patients who received treatment over a period of over 4 years at Cottage Hospital were taken from the hospital, placed in electronic form on various servers connected to the Internet, where they could be reviewed, copied or otherwise examined by any of the hundreds of millions of people who 'surf' the internet every day."
Records of patients who had visited the hospital from Sept. 29, 2009 to Dec. 2, 2013, presumably would have been online longer if the unnamed "third party" had not called the hospital.
"How was it possible that the medical records could be placed in the public domain Internet, for anyone to view for months, without Cottage Hospital detecting that anyone surfing the internet could view the confidential medical records of 32,500 of its patients?" the lawsuit asks.
Rice claims the "only answer" is that the hospital was "completely negligent," disregarding patient protections under the California Medical Information Act and The Health Insurance Portability and Accountability Act.
The hospital had a legal obligation to "institute sufficient management safeguards to detect and prevent such breaches from occurring," Rice adds.
He seeks class certification, damages and statutory damages.
He is represented by Brian Kabateck with Kabateck Brown Kellner.
Cottage Health System did not immediately respond to a request for comment.