A California health system has agreed to a $2 million settlement with the state attorney general to settle claims that it failed to implement basic security protocols, which led to the exposure of nearly 55,000 medical records.
The settlement with Santa Barbara-based Cottage Health System, announced last week by California Attorney General Xavier Becerra, resolves two data breach incidents in 2013 and 2015 in which patient records were publicly accessible and even indexed in a Google search.
In the first incident, which stretched from 2011 to 2013, patient information was accessible and searchable online without any encryption, password protection or firewall in place to prevent unauthorized access. More than 50,000 patient records were accessed by the time the security flaws were discovered.
The second breach was discovered on November 8, 2015, while state authorities were investigating the first incident. Again, the hospital’s server was misconfigured so that it was publicly accessible, exposing nearly 5,000 records.
“Cottage’s data breaches were symptoms of its system-wide data security failures,” Becerra wrote in an initial complaint (PDF) filed at the California Superior Court. “Cottage failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.”
When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed https://t.co/IWbg5FvUEF— Xavier Becerra (@AGBecerra) November 22, 2017
The law requires #health care providers to protect patients' privacy. On both of these counts, Cottage Health failed.— Xavier Becerra (@AGBecerra) November 22, 2017
In addition to the $2 million fine, Cottage is also required to reexamine its information security program, assess hardware and software within its network for potential vulnerabilities, update access controls, encrypt patient information and maintain “reasonable policies and protocols for all information practices,” according to the settlement (PDF).
Within 60 days, the health system must also report the names of employees that oversee privacy policies and compliance with state and federal privacy laws. For the next two years, Cottage Health will submit a copy of its annual privacy risk assessment to the California Attorney General’s Office.
Editor's note: In a statement emailed after the publication of this article, a spokesperson for Cottage Health System said the settlement involves two unrelated data incidents, adding that there is no indication the data was used in a malicious way.
"At Cottage Health, we have used this learning to strengthen our system security layers for improved detection and mitigation of vulnerabilities. Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data. "