The confidential medical records of 32,500 patients of Cottage Health System were a Google search away from discovery for months after being inadvertently exposed to the Internet last October.

Last week, a class-action lawsuit was filed on the patients’ behalf, claiming the hospital chain was “reckless” and “negligent” in handling the files. “Nobody bothered to encrypt the data,” attorney Brian Kabateck said. “It's just careless.”

The California Attorney General’s office likes encryption and noted in a report last year (pdf) that more than half the 2.5 million victims of data breaches it surveyed in the state in 2012 would have benefited from its presence. About 15% of the 131 incidents noted by the AG were in health care. The study did not seek out breaches with fewer than 500 individuals.

The records covered patients who were at Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital and Santa Barbara Cottage Hospital over a four-year period, between Sept. 29, 2009, and Dec. 2, 2013. They did not include numbers for Social Security, driver’s licenses, health insurance or financial accounts.

They did include names, addresses and dates of birth, as well as information on medical procedures, lab tests and other personal medical notes.

Cottage said it discovered, on December 2, that a third-party vendor it had hired to digitize records appeared to have removed electronic security protections from one of its servers, exposing the data. There is no evidence that the information was actually accessed or used for any non-hospital purpose, but there is no evidence it was not.

As is usually the case in these all-too-common breaches of privacy, the company will spend money on providing identity theft and restoration services for the victims “in the unlikely event that any exposed information may be misused.” The hospital said the offer reflected the “abundance of caution” it was taking in the matter.

Tracking the security of medical records, or lack of it, is a cottage industry.

Scrolling through the “Latest Health Data News Breaches” at Health IT Security reveals these California contributions since November 20, 2013: “UC Davis Notifies 1,800 Patients of Email Breach,” “San Jose, Ca. Surgeon Notifies 8,900 Patients of Laptop Theft,” “L.A. Gay and Lesbian Services Suffers Data Breach,” “Update: Kaiser Permanente Breach Affects 49,000 Patients,” “Over 8,000 UCSF Patients Notified of Physician Laptop Theft” and “Over 1,000 Notified of Missing Thumb Drive, Patient Data.”          

The U.S. Department of Health and Human Services (HHS) lists 18 breaches of health privacy information in California last year affecting at least 500 patients. But it doesn’t list the Cottage snafu, so it may not be totally up to date. The 18 breaches claimed a total of 911,957 victims, an average of 50,664. But 92% of them were victimized in three incidents, including 729,000 in one, thanks to two missing laptops at AHMC Healthcare Inc. The median number of victims was 2,291. The agency listed 26 breaches in 2012.

–Ken Broder

To Learn More:

Who Wants to See 32,500 Patient Records? (by Matt Reynolds, Courthouse News Service)

Cottage Health System Alerts 32,755 Patients of Data Breach (by Patrick Ouellette, Health IT Security) 

Cottage Health System Notifies Patients of Possible Data Disclosure (Cottage Health System)

Stolen Hospital Laptops with Unencrypted Files Put 729,000 Patients at Risk (by Ken Broder, AllGov California)

Breaches Affecting 500 or More Individuals (U.S. Department of Health and Human Services)