Health system fined $2 million for making patient data public online -- twice

Cottage Health breached the data of over 50,000 patients in 2013 and 2015 after leaving a server unencrypted and without a firewall, permissions or password protection.
By Jessica Davis
12:33 PM
Share
Cottage Health data breach

Cottage Health System in Santa Barbara, California. Credit: Google Maps

Santa Barbara, California-based Cottage Health System and affiliated hospitals have agreed to a $2 million settlement with California over failure to implement basic, reasonable safeguards, which led to two separate patient breaches in 2013 and 2015.

The health system’s failure to protect patient medical information violated state and federal privacy laws said California Attorney General Xavier Becerra. The state alleged the health system failed to adequately protect patient records.

In December 2013, Cottage Health was notified its patients’ records were accessible online, as one of its servers that contained 50,000 patient records was left unencrypted. Further, there was no password protection, firewalls or permissions to prevent unauthorized access.

[Also: The biggest healthcare breaches of 2017 (so far)]

During Becerra’s investigation in 2015, the health system once again breached patient data through another server left open for almost two weeks. These failures, the attorney general alleged, violated HIPAA rules and California’s Confidentiality of Medical Information Act and Unfair Competition Law.

“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra said. “The law requires healthcare providers to protect patients' privacy. On both of these counts, Cottage Health failed.”

[Also: 10 stubborn cybersecurity myths, busted]

As part of the settlement for these violations, Cottage Health will need to maintain security practices to ensure patient data is protected from unauthorized disclosure. This includes upgrading security practices and maintaining a security program that meets “reasonable security practices and procedures for the healthcare industry.”

Further, Cottage Health will need to designate a chief privacy officer to complete periodic risk assessments.

The settlement comes on the heels of an ever-growing list of organizations failing to secure online buckets, which means we may expect more of these settlements.

In October, Accenture breached client data in four separate buckets after its admin accidentally left the databases open to the public. Verizon also recently notified 14 million customers their personal data was left exposed online.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com