In December 2013, Cottage Health System disclosed a breach involving PHI. Two years later, we learned of a second breach. And now two years after that, we hear that Cottage Health has settled charges arising from those breaches. From the state’s press release:
California Attorney General Xavier Becerra Wednesday announced a $2 million settlement with Cottage Health System and its affiliated hospitals in California resolving allegations that they failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement requires Cottage to maintain security practices and procedures to protect patients’ medical information from unauthorized access or disclosure. This settlement follows two separate data breach incidents by Cottage Health where more than 50,000 patients’ medical information was made publicly available online.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed. The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed,” said Attorney General Becerra.
In this action, the Attorney General’s Office alleged that Cottage Health System, a not-for-profit based in Santa Barbara, California, failed to adequately protect patient records. Cottage was notified in December 2013 that patients’ confidential medical information was viewable online. One of the company’s servers with medical records for more than 50,000 patients was connected to the internet without encryption, password protection, firewalls, or permissions that would have prevented unauthorized access. In 2015, during the Attorney General’s investigation of the first breach, Cottage Health experienced a second data breach in which the records for 4,596 patients became accessible online for nearly two weeks. The Attorney General’s Office alleged that Cottage’s security failures violated California’s Confidentiality of Medical Information Act and Unfair Competition Law, as well as the federal Health Insurance Portability and Affordability Act.
Under the settlement announced today, Cottage Health is required to pay a $2 million penalty and upgrade its data security practices. Cottage Health is required to protect patients’ medical information from unauthorized access and disclosure and to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry. It must designate an employee to serve in the capacity of a Chief Privacy Officer and to complete periodic risk assessments.
Attorney General Becerra is committed to protecting consumer and individual privacy through civil prosecution of state and federal privacy laws.