Local 215.825.5183Toll Free 877.825.8542

Cottage Health Healthcare Data Breach Attorney

Health Information Data Breach

A class action lawsuit is litigation against an individual or business whose actions, policies, or products resulted in damage across a “class” of individuals or business entities. A class action can be the best option for suing one or a few defendants when there are too many potential plaintiffs to include everyone in a standard lawsuit. The class action process gives hundreds, or even hundreds of thousands, of people a voice and the opportunity to present a uniform lawsuit together for the benefit of all.

Cottage Health is a private, not-for-profit [1] community organization that provides medical care to communities in Santa Barbara, Goleta, and Santa Ynez Valley, California.  On December 1, 2015, Cottage Health System advised 11,000 of its patients that some of their Protected Health Information was exposed as a result of a server incident that occurred in late October 2015.  According to Cottage Health, the patients involved had their Social Security numbers, details of medical diagnoses and procedures, as well as their names and addresses, exposed for a period of fourteen days as a result of protections being removed from a server.  A statement released by Cottage Health [2] provides, in part, as follows:

“A team of cyber security experts was employed by CH to test data system security. This team recently discovered and shut down a single server that was exposed between October 26 and November 8, 2015. Our investigation revealed that limited information of approximately 11,000 Cottage Health patients was exposed…Because your Social Security number may have been exposed, we recommend that you place a fraud alert on your credit files. A fraud alert lasts for 90 days. You can place a fraud alert by calling any one of the three credit bureaus to automatically place an alert with all of three. You will receive letters confirming the fraud alert.”

The security breach was discovered on November 8, 2015, and resulted in the affected server being taken offline and secured. After investigating the situation, officials at Cottage Health determined that patient data first became accessible on October 26, 2015.  An external computer forensics firm was contracted to conduct a full investigation into the security breach to determine whether the data was accessed during the fourteen-day period in question.

Unfortunately, this is not the first time that Cottage Health has had difficulties with a security breach.  In December of 2013, Cottage Health System notified nearly 33,000 of their patients [3], whose protected health information had been compromised after the health system and one of its third-party vendors, InSync, removed electronic security protections for one of its services and stored unencrypted medical records on a system accessible to the Internet. The server was made secure on Dec 2, 2013, as soon as the security breach was discovered, and a request was sent to Google to de-index the file.

The Class Action Complaint [5] alleges as follows:

“(5)  The extent of the breach is enormous.  This was not a situation where some isolated medical record was disclosed and released on the internet.  The medical files for 32,500 patients who received treatment over a period of over 4 years at COTTAGE HOSPITAL were taken from the hospital, placed in electronic form on various servers connected to the internet, where they could be reviewed, copied or otherwise examined by any of the hundreds of millions of people who “surf” the internet every day.

(6) And, in fact, the medical records that were disclosed and released on the internet were actually viewed by third parties. On or around December 2, 2013, a third party called COTTAGE HOSPITAL to tell them that he was able to read the confidential medical records of patients that were on the internet.”

 The class action lawsuit goes on to allege:

(33)  The medical records were maintained without encryption.

(34) The medical records were maintained without password protection.’

(35) The medical records were maintained without a firewall.

(36) The medical records were maintained without file access permission that prevented unauthorized access.

(37) The medical records were maintained on the internet without proper safeguards in both hardware and software to prevent release to the public.

Based upon the conduct of COTTAGE HEALTH, the Plaintiff alleged that they violated the Confidentiality of Medical Information Act [5] (CMIA) which prohibits health care providers from disclosing medical information regarding a patient without first obtaining written authorization from the patient.

In September of 2013, after the initial complaint was filed, the number of patients allegedly affected by the initial breach was increased by nearly 20,00 patients, to a total of 50,918 [6] patients:

“Cottage Health System, CA,”InSync Computer Solutions, Inc.”, 50918, 03/11/2012, Other, Network Server, 09/04/2014,

The length of time for the overall breach was also modified from the eight weeks set forth in the initial complaint to a period of approximately 14 months after an investigation revealed the security protection was removed by Insync on Oct 8, 2012.

The 2013 security breach resulted in the exposure of a file containing personal health information on the server where it was left unsecured and exposed for more than a year.  During that time, patient names, dates of birth, medical diagnoses, lab results and procedures, medical record numbers, account numbers, and addresses were all contained on the unsecured server.

Cottage Health advised patients, in part, as follows:

“CHS takes its obligation to protect your personal health information very seriously and apologizes for any inconvenience this may cause you…We want to also assure you we have taken steps to prevent this type of event from happening again, including reviewing service relationships with third party vendors, expanding and increasing the frequency of internal and external security checks, and enhancing our ‘change notification system.”

Cottage Health was sued over the 2013 security breach by way of a class action lawsuit that was filed against them in January of 2014, pursuant to case “Kenneth Rice v. Insync, Cottage Health System, et al, case number 30-2014-00701147-CU-NP-CJC” filed in the Superior Court of California, Orange County.  Cottage Heath settled the class action by way of a mediated agreement for $4.1 million by way of an Order Granting Final Approval of Proposed Class Action Settlement [7] entered on April 15, 2015.  That agreement provides, in part:

“The settlement provides for a Settlement Fun of $4,125,000 which will result in a net settlement fund of $2,587,585.55 for equal distribution among approximately 50,036 settlement class members.  The settlement provides for such cash payments to each member of the settlement who did not request exclusion, without requiring any settlement class member to affirmatively participate in the claims process..”

After entry of the settlement order, Cottage Heath was sued by its insurer, Columbia Casualty, because the insurer did not want to cover the settlement costs.  See Columbia Casualty v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal., filed May 7, 2015). This lawsuit was one of the first cyber/data privacy disputes under a cyber insurance policy that resulted in litigation.  In the lawsuit, the insurer alleged that Cottage Health failed to implement the procedures and risk controls identified in its insurance application. Much of the focus of Columbia v. Cottage rests with a provision known as the “Mistake Exclusion,” which precludes coverage in the event that the insured, in this case Cottage Health System, fails to maintain adequate data security safeguards.   Ultimately the case was dismissed because the insurance policy included a mandatory alternative dispute resolution (ADR) provision for disputes between the insured and insurer and Columbia Casualty failed to attempt dispute resolution prior to filing the lawsuit and initiating litigation.

Even though the 2013 class action lawsuit was ultimately resolved by way of a mediated agreement, the allegations regarding Cottage Health’s prior security breach are of public record and will likely play a roll in any class action lawsuit that is filed in connection with this most recent security breach, identified in December of 2015.  An experienced class action attorney will be able to best protect your rights by introducing this type of information and evidence in any new class action filed against Cottage Health System.

Characteristics of a Class Action Lawsuit

Many class action lawsuits have similar characteristics, regardless of the specifics of the case, including, but not limited to, the following:

  • A class action groups many possible individual claims into one larger claim.
  • It is necessary for attorneys to demonstrate that the individual victims have a uniformity of damages. Once this is proven, the attorneys request that the judge certify the group of victims as a class action.
  • In order for the judge to be able to certify the class, it is necessary to meet certain requirements, depending upon the specifics of the case:
  • The representative plaintiff has suffered the same alleged injuries as the proposed class.
  • The class can be defined specifically enough to determine who is a member and who is not a member.
  • The number of individuals involved makes joining all of them to the lawsuit difficult or impractical. By way of example, 30 individuals may be more than enough.
  • A common set of factors that apply to all of the victims’ injuries.
  • The representative plaintiff’s claim is so similar to those of the class members that litigating the representative case is adequate to decide the cases of the class.
  • A class action is the most efficient way to resolve the claims for those involved.
  • A certified class does not mean that the judge thinks the defendant is guilty or liable, but it does mean that the case has been vetted, to some extent.
  • Because the members of the class often times includes a broad range of individuals or business interests, notice must be provided to the class action certified members. This notice is generally provided to all parties with a similar claim during a defined time period.
  • The notice provided to class members describes the options that a class action member can take including the choice to “opt-out”, or not participate in the class action lawsuit.
  • If an individual elects to participate in the class action lawsuit, they are bound by the terms of any settlement that is reached and are not allowed to take further action against the defendant on their own behalf.
  • Many class action lawsuits are resolved by way of settlement and agreement that is then approved by the judge.
  • Once an agreement or settlement is reached, the judge will determine a formula to distribute the agreed upon monies to the class action members.
  • If a defendant settles the case or loses at the time of trial, the victims are each given a percentage of the damages. If it is too difficult to identify and contact all of the victims, a fund is oftentimes made available to provide damages to any individual who demonstrates that they were harmed by the defendant’s actions.


Cyber security is a growing issue plaguing many companies. In 2015, the London-based insurance market Lloyd’s [7] reported a 50 percent increase in the number of data breach insurance submissions filed in the first three months of 2015 as compared to the previous year.  Without effective cyber security, incidences like that at Cottage Health may happen to any other business, resulting in significant financial losses.  If you or someone you love has been the victim of a security breach with Cottage Health or any other entity, it is important to speak to an experienced Cottage Health Data Breach class action attorney.  At the Levin Firm, we understand how difficult it is to have your personal health information, including your social security number and private medical information, subjected to a security breach and potentially available to be viewed online by the general public.  We know how to evaluate your situation based upon the facts of your case and to investigate what type of claim can be made on your behalf. Please call 215-825-5183 to schedule a free consultation today or call our toll free number at 877-825-8542.


[1] http://www.cottagehealth.org/about/

[2] http://www.cottagehealth.org/notification-on-data-disclosure/

[3] http://www.healthcareitnews.com/news/hipaa-security-gaffe-puts-phi-google

[4]  http://www.ricesettlement.com/docs/complaint.pdf

[5]  http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=00001-01000&file=56-56.07

[6]  http://www.databreaches.net/update-on-cottage-health-system-breach/

[7]  http://www.ricesettlement.com/docs/2015-04-15_Order_Granting_Final_Approval.pdf

[8] http://www.tripwire.com/state-of-security/latest-security-news/cyber-insurance-market-expanding-due-to-high-profile-attacks/

Latest News

September 22, 2017

Rear-End Accident Liability

Rear-end accidents are one of the most common and dangerous types of accident in which you can be involved. In many cases, the driver in the front vehicle has no idea a collision is about …

September 15, 2017

Do I Have to Call the Police if I’ve Been Injured in an Accident?

Involvement in an accident that results in an injury to oneself is not something most people expect. Car wrecks are often violent and traumatic and tend to leave those involved shaken, confused, and uncertain about …

September 8, 2017

What are the Potential Complications of Bite Injuries?

According to the American Society for the Prevention of Cruelty to Animals, there are an estimated 70 to 80 million dogs owned in the United States. While dog ownership provides many benefits to humans and our …

view more

Free Case Consultation

Fill out the form below to schedule a free initial consultation

    In an effort to prevent spam please click “I agree” below to confirm you are a human being. (Required.)