Cottage Health System, a Santa Barbara-based healthcare organization, agreed to pay the state $2 million to settle allegations it failed to establish reasonable safeguards to protect patient medical information, which led to the exposure of nearly 50,000 medical records.
The settlement, announced by California Attorney General Xavier Becerra Nov. 22, follows two separate data breaches from 2013 and 2015, in which a total of more than 50,000 Cottage patients' medical information was made publicly available online. One of Cottage's servers had allegedly been connected to the internet without encryption, password protection, firewalls or permissions that would have prevented unauthorized access.
According to the settlement, Cottage and its affiliated hospitals failed to implement basic, reasonable safeguards to protect patient medical information, a violation of state and federal privacy laws. Under the agreement, Cottage is required to maintain security practices and procedures that will protect patients' health information from unauthorized access. The health system must pay a $2 million penalty and update its data security practices, which includes appointing a chief privacy officer and completing periodic risk assessments.
"When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed. The law requires healthcare providers to protect patients' privacy. On both of these counts, Cottage Health failed," Mr. Becerra said.
More articles on cybersecurity:
Shawnee Mission Medical Center hits HIMSS Analytics Stage 7
Memorial Hospital, 6 Illinois clinics go live on Epic EMR
FCC releases final 'Restoring Internet Freedom' proposal to end net neutrality