Cottage Healthcare System Settles Security Breach Lawsuit for $2 Million

Published: November 28, 2017

A settlement has been reached with Cottage Health System and the California Attorney General’s office following two separate security breaches of patient records.

The $2 million settlement comes after more than 55,000 patient records were available online during two separate periods and were unprotected by firewalls or passwords.

Cottage Healthcare System, a Santa Barbara-based healthcare organization, could have faced $275 million in penalties had the suit gone to trial.

The first breach exposed 50,000 patient records, including names, addresses, dates of birth and medical information. The records were openly available on Cottage data servers between 2011 and 2013, according to The Independent.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

The server was connected to the internet without encryption, password protection, firewalls or permissions to prevent unauthorized access.

Cottage “was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII (personally identifying information), and failing to conduct regular risk assessments, among other things,” alleges the lawsuit.

The hospital was informed of the breach after a man doing a Google search in December 2013 discovered he could see medical records.

The second breach occurred in 2015 during the Attorney General’s investigation into the first breach and exposed 4,596 patient records. The records were accessible for almost two weeks and included medical record numbers, Social Security Numbers and admit and discharge dates, reports HealthIT Security.

The Attorney General’s office says Cottage’s security failures violated California’s Confidentiality of Medical Information Act, Unfair Competition Law and the federal Health Insurance Portability and Affordability Act, according to a press release from the State of California Department of Justice.

The settlement requires that the hospital upgrades its data security, completes periodic risk assessments and hires a chief privacy officer.

“Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way,” says a statement from Cottage Health. “Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.”

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series