Menu Close

California Health System Pays $2M to Settle Data Breaches

Posted in Electronic Health Records, HIPAA and the HITECH Act, Hospitals and Institutions, Litigation, Privacy and Data Protection, State Matters

The federal government’s data privacy and security enforcement efforts have slowed down in the latter half of 2017, but some states are picking up the slack. On November 22, the California Attorney General announced a $2 million settlement with Cottage Health System, based in Santa Barbara, to resolve two data breach incidents in which more than 50,000 patients’ records were publicly exposed online.In the first incident, discovered in 2013, one of Cottage’s servers was connected to the internet with no password protection or encryption, leaving medical records vulnerable to unauthorized access and even searchable online. The second breach, discovered in 2015, was similar and exposed the records of 4,596 more patients. The Attorney General’s complaint claimed that Cottage “failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.”

In addition to the $2 million fine, Cottage is required to upgrade its data security practices, maintain an information security program, and complete periodic risk assessments, among other things

Leave a Reply

Your email address will not be published. Required fields are marked *