Protected Health Information (PHI) of 33,000 individuals was inadvertently leaked online, on the search engine Google, due to a security flaw.

Patients of Cottage Health System in Santa Barbara, California were informed by the three-hospital system that their information could have been available online for nearly two months.

The lapse occurred after one of their vendors removed security protections for a service, without informing the hospital. It caused a file containing PHI to be left unprotected on the server, and searchable on Google. The file contained patient names, dates of birth, diagnoses, lab results/procedures, medical record numbers, account numbers and addresses.

The CHS maintained that the file did not contain any financial data, and requested Google to take the file down. “CHS takes its obligation to protect your personal health information very seriously and apologizes for any inconvenience this may cause you,” stated a letter to the patients, written by Steven A. Fellow, executive vice president, chief operating officer and chief compliance officer of CHS.. “We want to also assure you we have taken steps to prevent this type of event from happening again, including reviewing service relationships with third party vendors, expanding and increasing the frequency of internal and external security checks, and enhancing our ‘change notification system.’”

Security lapses leading to PHI being leaked online are not new. In July 2013, the OCR (HHS department investigating HIPAA violations) penalized WellPoint $1.7 million after it made PHI of over 600,000 individuals available online. It contained patient names, dates of birth, SSN, telephone numbers and health information.

It was found that WellPoint had no measures in place limiting personnel access to PHI, and had not evaluated their system after an upgrade.

Since 2009, 27 million individuals have had their PHI compromised due to various reasons, as per HIPAA privacy and security breach rules. It is important for healthcare organizations to keep a continuous check on the security methods in place, in order to ensure protection of PHI.