Cottage Healthcare System Settles Security Breach Lawsuit for $2 Million

The settlement was reached with the California Attorney General’s office after two major security breaches exposed over 55,000 patient records.

Cottage Healthcare System Settles Security Breach Lawsuit for $2 Million

The first data breach of 50,000 records was revealed by a man doing a Google search.

A settlement has been reached with Cottage Health System and the California Attorney General’s office following two separate security breaches of patient records.

The $2 million settlement comes after more than 55,000 patient records were available online during two separate periods and were unprotected by firewalls or passwords.

Cottage Healthcare System, a Santa Barbara-based healthcare organization, could have faced $275 million in penalties had the suit gone to trial.

The first breach exposed 50,000 patient records, including names, addresses, dates of birth and medical information. The records were openly available on Cottage data servers between 2011 and 2013, according to The Independent.

The server was connected to the internet without encryption, password protection, firewalls or permissions to prevent unauthorized access.

Cottage “was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII (personally identifying information), and failing to conduct regular risk assessments, among other things,” alleges the lawsuit.

The hospital was informed of the breach after a man doing a Google search in December 2013 discovered he could see medical records.

The second breach occurred in 2015 during the Attorney General’s investigation into the first breach and exposed 4,596 patient records. The records were accessible for almost two weeks and included medical record numbers, Social Security Numbers and admit and discharge dates, reports HealthIT Security.

The Attorney General’s office says Cottage’s security failures violated California’s Confidentiality of Medical Information Act, Unfair Competition Law and the federal Health Insurance Portability and Affordability Act, according to a press release from the State of California Department of Justice.

The settlement requires that the hospital upgrades its data security, completes periodic risk assessments and hires a chief privacy officer.

“Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way,” says a statement from Cottage Health. “Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.”

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ