Lead Plaintiff, Kenneth Rice, alleges Cottage Health System hospitals in Santa Barbara, Goleta Valley and Santa Ynez Valley posted four years of patients' records to the Internet from October 8 through December 2, 2013. According to the complaint, filed in Orange County Court, the hospitals learned of the "enormous" data breach when a man discovered the records online and contacted one of the hospitals.
Insync, a Laguna Hills-based tech company and lead defendant in the class action lawsuit, allegedly created a system for Cottage Health System hospitals enabling the health care provider to access records over the Internet. However, the lawsuit claims Insync did not encrypt the data or take other security measures. Consequently, for eight weeks private health records were "readily available" to anyone with an Internet connection, the complaint states.
"The extent of the breach is enormous. This was not a situation where some isolated medical record was disclosed and released on the Internet," the complaint states. "The medical files for 32,500 patients who received treatment over a period of over 4 years at Cottage Hospital were taken from the hospital, placed in electronic form on various servers connected to the Internet, where they could be reviewed, copied or otherwise examined by any of the hundreds of millions of people who 'surf' the internet every day."
The records that were posted belonged to patients who had visited the hospital from September 29, 2009 to December 2, 2013. "How was it possible that the medical records could be placed in the public domain Internet, for anyone to view for months, without Cottage Hospital detecting that anyone surfing the internet could view the confidential medical records of 32,500 of its patients?" the lawsuit states.
Rice alleges the "only answer" is that the hospital was "completely negligent,” failing to take appropriate patient protections as stipulated by the California Medical Information Act and The Health Insurance Portability and Accountability Act.
The hospital had a legal obligation to "institute sufficient management safeguards to detect and prevent such breaches from occurring," Rice adds in the complaint.
Rice is seeking class certification, damages and statutory damages. He is represented by Brian Kabateck with Kabateck Brown Kellner.