Health system fined $2 million for making patient data public online -- twice
Santa Barbara, California-based Cottage Health System and affiliated hospitals have agreed to a $2 million settlement with California over failure to implement basic, reasonable safeguards, which led to two separate patient breaches in 2013 and 2015.
The health system’s failure to protect patient medical information violated state and federal privacy laws said California Attorney General Xavier Becerra. The state alleged the health system failed to adequately protect patient records.
In December 2013, Cottage Health was notified its patients’ records were accessible online, as one of its servers that contained 50,000 patient records was left unencrypted. Further, there was no password protection, firewalls or permissions to prevent unauthorized access.
During Becerra’s investigation in 2015, the health system once again breached patient data through another server left open for almost two weeks. These failures, the attorney general alleged, violated HIPAA rules and California’s Confidentiality of Medical Information Act and Unfair Competition Law.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra said. “The law requires healthcare providers to protect patients' privacy. On both of these counts, Cottage Health failed.”
As part of the settlement for these violations, Cottage Health will need to maintain security practices to ensure patient data is protected from unauthorized disclosure. This includes upgrading security practices and maintaining a security program that meets “reasonable security practices and procedures for the healthcare industry.”
Further, Cottage Health will need to designate a chief privacy officer to complete periodic risk assessments.
The settlement comes on the heels of an ever-growing list of organizations failing to secure online buckets, which means we may expect more of these settlements.
In October, Accenture breached client data in four separate buckets after its admin accidentally left the databases open to the public. Verizon also recently notified 14 million customers their personal data was left exposed online.