Health System’s Security Error Puts PHI On Google

Posted on December 16, 2013 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or

A Santa Barbara, Calif. hospital system may have exposed the protected health information of almost 33,000 individuals to the public via Google over the last two months, according to a story in Healthcare IT News.

Three- hospital Cottage Health System recently notified 32,755 of its patients that their personal health information may have been made available on Google due to a lack of security coordination between the system and one of its vendors.

According to a letter CHS mailed to patients, IT services and solutions vendor inSync removed electronic security protections for one of its services, an action of which the health system was not aware.

When the security protections were removed, it resulted in the exposure of a file on the server containing PHI. This PHI was left unsecured and exposed to the public for nearly two months, Healthcare IT News said.

The breach exposed patient names, dates of birth, medical diagnoses, lab results and procedures, medical record numbers, account numbers and addresses, though no financial data was made public.

CHS, which has asked all to remove the file from its systems, has issued a letter assuring patients that it had taken steps to prevent such a thing from happening again. In the letter, CHS chief operating office Steven Fellow said that the health system is reviewing service relationships with third-party vendors and tightening up its security routine, Healthcare IT News reports.

As serious as PHI exposure is, this privacy breach is a drop in the bucket statistically. Since 2009, when HIPAA privacy and security breach notification rules went into effect, HIPAA-covered entities have reported breaches affecting some 27 million individuals. This includes some institutions — such as the University of Rochester Medical Center — which have had to report multiple security breaches.