Santa Barbara, California-based Cottage Health System has agreed to a $2 million settlement with the state attorney general resolving allegations that the health system failed to implement “basic, reasonable safeguards to protect patient medical information”, which led to the exposure of nearly 55,000 medical records.
According to California Attorney General Xavier Becerra, the health system’s failure to protect patient medical information violated state and federal privacy laws. The state alleged the health system failed to adequately protect patient records.
In December 2013, Cottage Health was notified its patients’ records were accessible online, as one of its servers that contained 50,000 patient records was left unencrypted. Worse yet, there was no password protection, firewalls or permissions to prevent unauthorized access. Exposed information included medical history, diagnosis, laboratory test results, and medications.
During Becerra’s 2015 investigation, the health system once again breached patient data with another server left open for almost two weeks, exposing nearly 5,000 records. This incident involved PII and ePHI, including medical record numbers, account numbers, names, addresses, Social Security Numbers, employment information, admit and discharge dates, and other personal information.
“Cottage’s data breaches were symptoms of its system-wide data security failures,” Becerra wrote in an initial complaint filed at the California Superior Court. “Cottage failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.”
The complaint also stated that the security assessments following the first data breach revealed that Cottage’s external and internal information systems were “significantly compromised.”
“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,” the document read.
These failures, the attorney general alleged, violated HIPAA rules and California’s Confidentiality of Medical Information Act and Unfair Competition Law.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra said. “The law requires healthcare providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”
In addition to the $2 million fine, Cottage is also required to reexamine its information security program, assess hardware and software within its network for potential vulnerabilities, update access controls, encrypt patient information and maintain “reasonable policies and protocols for all information practices,” according to the settlement.
Within 60 days, the health system must also designate a chief privacy officer and report the names of employees that oversee privacy policies and compliance with state and federal privacy laws. For the next two years, Cottage Health will submit a copy of its annual privacy risk assessment to the California Attorney General’s Office.
A spokesperson for Cottage Health System said, “This settlement involves unrelated data incidents that occurred in 2013 and 2015. Once we learned of the incidents, our information security team worked to provide resolutions. There is no indication that data was used in any malicious way.”
The health system spokesperson also stated, “At Cottage Health, we have used this learning to strengthen our system security layers for improved detection and mitigation of vulnerabilities. Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data. We value the trust of our community and are committed to continuous advances in technology that enable us to protect patient privacy while providing authorized care providers the timely and effective data needed for medical treatments.”