Cottage Health System Breach Settlement Reached

The Cottage Health System breach settlement has been a long time coming but the healthcare provider has now decided to settle the lawsuit rather than fight the liability case in court. The damages will now be paid to the breach victims, although CHS/In Sync have not accepted liability. The Cottage Health System breach settlement was reached as the healthcare provider and its BA believed it was in the best interests of all concerned.

The lawsuit stemmed from a data breach suffered by Cottage Health System – via its Business Associate (BA) – between September 2009 and December 2, 2013, when the data breach was finally discovered. Initially it was not clear how many individuals had been affected by the breach and the total rose from 32,500 to 50,918 individuals as the extent of the data breach became clear. All breach victims had visited either the Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital or the Santa Ynez Valley Hospital between the above dates.

Many data breaches are discovered when healthcare providers perform routine security updates, although in this case it was a tip off received on an answering phone recording that alerted CHS to the fact that patients’ data had been listed in Google. An error by the BA allowed PHI to be viewed by individuals without authorization.

The data exposed in the breach included names, addresses, dates of birth, lab test results, medical diagnoses and procedures in addition to medical record numbers and account numbers. No Social Security numbers were exposed and neither was any financial information disclosed.

A fund of $4,125 million has been created to cover payment of damages to patients affected by the breach, and once costs have been paid, the remainder of the Cottage Health System breach settlement will be shared between patients. Checks for $52.11 have been mailed to all breach victims, with a time limit of 6 months in which to cash the checks.

The checks could be confusing for many individuals unaware that they had been included in a class-action lawsuit. The checks will draw on a bank account in Dublin, Ohio. The checks do not have the name of Cottage Health System written on them, instead they refer to Rice v. InSync, et al.

Individuals affected by the breach will have received breach notification letters in the post more than two years previously, and may not remember the name of the Business Associate that caused the CHS breach.

CHS will not receive any information about patients that cash checks. The healthcare provider has paid the settlement and is not involved in its administration in any way. If the fund is not exhausted, no monies will be returned to CHS.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of