A class action lawsuit is litigation against an individual or business whose actions, policies, or products resulted in damage across a “class” of individuals or business entities. A class action can be the best option for suing one or a few defendants when there are too many potential plaintiffs to include everyone in a standard lawsuit. The class action process gives hundreds, or even hundreds of thousands, of people a voice and the opportunity to present a uniform lawsuit together for the benefit of all.
Cottage Health is a private, not-for-profit  community organization that provides medical care to communities in Santa Barbara, Goleta, and Santa Ynez Valley, California. On December 1, 2015, Cottage Health System advised 11,000 of its patients that some of their Protected Health Information was exposed as a result of a server incident that occurred in late October 2015. According to Cottage Health, the patients involved had their Social Security numbers, details of medical diagnoses and procedures, as well as their names and addresses, exposed for a period of fourteen days as a result of protections being removed from a server. A statement released by Cottage Health  provides, in part, as follows:
“A team of cyber security experts was employed by CH to test data system security. This team recently discovered and shut down a single server that was exposed between October 26 and November 8, 2015. Our investigation revealed that limited information of approximately 11,000 Cottage Health patients was exposed…Because your Social Security number may have been exposed, we recommend that you place a fraud alert on your credit files. A fraud alert lasts for 90 days. You can place a fraud alert by calling any one of the three credit bureaus to automatically place an alert with all of three. You will receive letters confirming the fraud alert.”
The security breach was discovered on November 8, 2015, and resulted in the affected server being taken offline and secured. After investigating the situation, officials at Cottage Health determined that patient data first became accessible on October 26, 2015. An external computer forensics firm was contracted to conduct a full investigation into the security breach to determine whether the data was accessed during the fourteen-day period in question.
Unfortunately, this is not the first time that Cottage Health has had difficulties with a security breach. In December of 2013, Cottage Health System notified nearly 33,000 of their patients , whose protected health information had been compromised after the health system and one of its third-party vendors, InSync, removed electronic security protections for one of its services and stored unencrypted medical records on a system accessible to the Internet. The server was made secure on Dec 2, 2013, as soon as the security breach was discovered, and a request was sent to Google to de-index the file.
The Class Action Complaint  alleges as follows:
“(5) The extent of the breach is enormous. This was not a situation where some isolated medical record was disclosed and released on the internet. The medical files for 32,500 patients who received treatment over a period of over 4 years at COTTAGE HOSPITAL were taken from the hospital, placed in electronic form on various servers connected to the internet, where they could be reviewed, copied or otherwise examined by any of the hundreds of millions of people who “surf” the internet every day.
(6) And, in fact, the medical records that were disclosed and released on the internet were actually viewed by third parties. On or around December 2, 2013, a third party called COTTAGE HOSPITAL to tell them that he was able to read the confidential medical records of patients that were on the internet.”
The class action lawsuit goes on to allege:
(33) The medical records were maintained without encryption.
(34) The medical records were maintained without password protection.’
(35) The medical records were maintained without a firewall.
(36) The medical records were maintained without file access permission that prevented unauthorized access.
(37) The medical records were maintained on the internet without proper safeguards in both hardware and software to prevent release to the public.
Based upon the conduct of COTTAGE HEALTH, the Plaintiff alleged that they violated the Confidentiality of Medical Information Act  (CMIA) which prohibits health care providers from disclosing medical information regarding a patient without first obtaining written authorization from the patient.
In September of 2013, after the initial complaint was filed, the number of patients allegedly affected by the initial breach was increased by nearly 20,00 patients, to a total of 50,918  patients:
“Cottage Health System, CA,”InSync Computer Solutions, Inc.”, 50918, 03/11/2012, Other, Network Server, 09/04/2014,
The length of time for the overall breach was also modified from the eight weeks set forth in the initial complaint to a period of approximately 14 months after an investigation revealed the security protection was removed by Insync on Oct 8, 2012.
The 2013 security breach resulted in the exposure of a file containing personal health information on the server where it was left unsecured and exposed for more than a year. During that time, patient names, dates of birth, medical diagnoses, lab results and procedures, medical record numbers, account numbers, and addresses were all contained on the unsecured server.
Cottage Health advised patients, in part, as follows:
“CHS takes its obligation to protect your personal health information very seriously and apologizes for any inconvenience this may cause you…We want to also assure you we have taken steps to prevent this type of event from happening again, including reviewing service relationships with third party vendors, expanding and increasing the frequency of internal and external security checks, and enhancing our ‘change notification system.”
Cottage Health was sued over the 2013 security breach by way of a class action lawsuit that was filed against them in January of 2014, pursuant to case “Kenneth Rice v. Insync, Cottage Health System, et al, case number 30-2014-00701147-CU-NP-CJC” filed in the Superior Court of California, Orange County. Cottage Heath settled the class action by way of a mediated agreement for $4.1 million by way of an Order Granting Final Approval of Proposed Class Action Settlement  entered on April 15, 2015. That agreement provides, in part:
“The settlement provides for a Settlement Fun of $4,125,000 which will result in a net settlement fund of $2,587,585.55 for equal distribution among approximately 50,036 settlement class members. The settlement provides for such cash payments to each member of the settlement who did not request exclusion, without requiring any settlement class member to affirmatively participate in the claims process..”
After entry of the settlement order, Cottage Heath was sued by its insurer, Columbia Casualty, because the insurer did not want to cover the settlement costs. See Columbia Casualty v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal., filed May 7, 2015). This lawsuit was one of the first cyber/data privacy disputes under a cyber insurance policy that resulted in litigation. In the lawsuit, the insurer alleged that Cottage Health failed to implement the procedures and risk controls identified in its insurance application. Much of the focus of Columbia v. Cottage rests with a provision known as the “Mistake Exclusion,” which precludes coverage in the event that the insured, in this case Cottage Health System, fails to maintain adequate data security safeguards. Ultimately the case was dismissed because the insurance policy included a mandatory alternative dispute resolution (ADR) provision for disputes between the insured and insurer and Columbia Casualty failed to attempt dispute resolution prior to filing the lawsuit and initiating litigation.
Even though the 2013 class action lawsuit was ultimately resolved by way of a mediated agreement, the allegations regarding Cottage Health’s prior security breach are of public record and will likely play a roll in any class action lawsuit that is filed in connection with this most recent security breach, identified in December of 2015. An experienced class action attorney will be able to best protect your rights by introducing this type of information and evidence in any new class action filed against Cottage Health System.
Many class action lawsuits have similar characteristics, regardless of the specifics of the case, including, but not limited to, the following:
Cyber security is a growing issue plaguing many companies. In 2015, the London-based insurance market Lloyd’s  reported a 50 percent increase in the number of data breach insurance submissions filed in the first three months of 2015 as compared to the previous year. Without effective cyber security, incidences like that at Cottage Health may happen to any other business, resulting in significant financial losses. If you or someone you love has been the victim of a security breach with Cottage Health or any other entity, it is important to speak to an experienced Cottage Health Data Breach class action attorney. At the Levin Firm, we understand how difficult it is to have your personal health information, including your social security number and private medical information, subjected to a security breach and potentially available to be viewed online by the general public. We know how to evaluate your situation based upon the facts of your case and to investigate what type of claim can be made on your behalf. Please call 215-825-5183 to schedule a free consultation today or call our toll free number at 877-825-8542.
Even minor car accidents can be traumatizing due to the suddenness and the unexpectedness of the event. An impact can cause a lot of tension in your body that can remain for hours and it …February 22, 2017
With the start of a new year, many of us make a resolution to take control of our health by losing weight and getting fit. This often involves going to a gym regularly to work …February 20, 2017
Distracted driving is an epidemic in the United States, in part due to the rise of smartphones and mobile apps. We are constantly connected to our friends and family, our email, and our social media …view more