The California Attorney General (AG) recently announced that it had reached a settlement with Cottage Health System and its affiliated hospitals, after the health system had failed to adequately protect patient records on two separate occasions. Cottage Healthy System is a not-for-profit healthcare organization based in Santa Barbara, California. The AG also noted that in December 2013, one of the company’s servers, containing over 50,000 medical records, did not have basic security protections such as encryption, password protection, firewalls, or permissions that would have prevented unauthorized access. The same system had another data breach in 2015, compromising 4,596 patient records, which were accessible online for nearly two weeks. Outdated software, failure to apply security patches, use of weak password protection, and improperly configured server settings led to the breach. These security configurations violated California’s Confidentiality of Medical Information Act and Unfair Competition Law, as well as the Health Insurance Portability and Accountability Act.
The settlement dictates that Cottage Health System will pay a two million dollar penalty, and must upgrade its data security practices. Moreover, within 60 days, it must also report names of individuals overseeing privacy policies and compliance with state and federal law. Cottage Health System is required to submit its privacy risk assessment to the California AG’s office.
As part of its settlement, Cottage Health System must also designate an employee to serve in the capacity of a Chief Privacy Officer to perform the following tasks:
- Reexamine the System’s information security program;
- Assess hardware and software within its network for potential vulnerabilities;
- Update access controls;
- Encrypt patient information;
- Maintain reasonable policies and protocols for all information practices; and
- Complete periodic risk assessments.
The California AG Press Release is available at: