Cottage Healthcare System Settles Security Breach Lawsuit for $2 Million

The settlement was reached with the California Attorney General’s office after two major security breaches exposed over 55,000 patient records.

Cottage Healthcare System Settles Security Breach Lawsuit for $2 Million

The first data breach of 50,000 records was revealed by a man doing a Google search.

A settlement has been reached with Cottage Health System and the California Attorney General’s office following two separate security breaches of patient records.

The $2 million settlement comes after more than 55,000 patient records were available online during two separate periods and were unprotected by firewalls or passwords.

Cottage Healthcare System, a Santa Barbara-based healthcare organization, could have faced $275 million in penalties had the suit gone to trial.

The first breach exposed 50,000 patient records, including names, addresses, dates of birth and medical information. The records were openly available on Cottage data servers between 2011 and 2013, according to The Independent.

The server was connected to the internet without encryption, password protection, firewalls or permissions to prevent unauthorized access.

Cottage “was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII (personally identifying information), and failing to conduct regular risk assessments, among other things,” alleges the lawsuit.

The hospital was informed of the breach after a man doing a Google search in December 2013 discovered he could see medical records.

The second breach occurred in 2015 during the Attorney General’s investigation into the first breach and exposed 4,596 patient records. The records were accessible for almost two weeks and included medical record numbers, Social Security Numbers and admit and discharge dates, reports HealthIT Security.

The Attorney General’s office says Cottage’s security failures violated California’s Confidentiality of Medical Information Act, Unfair Competition Law and the federal Health Insurance Portability and Affordability Act, according to a press release from the State of California Department of Justice.

The settlement requires that the hospital upgrades its data security, completes periodic risk assessments and hires a chief privacy officer.

“Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way,” says a statement from Cottage Health. “Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.”

About the Author


Amy Rock is Campus Safety's senior editor. She graduated from UMass Amherst with a Bachelor’s Degree in Communications and a minor in Education.

She has worked in the publishing industry since 2011, in both events and digital marketing.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ