- Cottage Health System recently reached a $2 million settlement with the California Attorney General’s office after two separate health data breach incidents that took place in 2013 and 2015.
In total, more than 50,000 patients had their medical information publicly available from the data breaches.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Attorney General Xavier Becerra said in a statement. “The law requires health care providers to protect patients' privacy. On both of these counts, Cottage Health failed.”
The first incident took place in 2013 when Cottage was notified that a company server containing medical records for over 50,000 patients was connected to the internet without encryption, password protection, firewalls, or permissions that would have prevented unauthorized access.
Exposed information included medical history, diagnosis, laboratory test results, and medications.
Two years later, Cottage experienced a second health data breach while the state attorney general was investigating the 2013 incident. In the second Cottage health data breach, 4,596 patient records were accessible online for approximately two weeks. This incident involved PII and ePHI, including medical record numbers, account numbers, names, addresses, Social Security Numbers, employment information, admit and discharge dates, and other personal information.
“Cottage’s data breaches were symptoms of its system-wide data security failures,” stated the conformed complaint against Cottage. “Cottage failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.”
The complaint also explained that the security assessments following the first data breach revealed that Cottage’s external and internal information systems were “significantly compromised.”
“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,” the document read.
The data breach from 2015 also involved a server that was internet-accessible and was not protected with a firewall, the complaint maintained. Misconfigured server settings reportedly led to the server being accessed “by a limited number of other unidentified parties.”
Along with paying the $2 million penalty, Cottage must also upgrade its data security practices, according to the California Attorney General.
“Cottage Health is required to protect patients’ medical information from unauthorized access and disclosure and to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry,” the attorney general statement said. “It must designate an employee to serve in the capacity of a Chief Privacy Officer and to complete periodic risk assessments.”
Specifically, Cottage must “maintain reasonable security practices and procedures to protect patients’ medical information from unauthorized access and/or disclosure, including access by or via internet search engines,” the California court’s final judgement explained.
Cottage will also need to ensure its information security program does the following:
- Assess hardware and software used within Cottage’s computer network for potential risks and vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information, and updating security settings and access controls where appropriate
- Evaluate the response to and protections from external threats, including firewall security
- Encrypt patients’ medical information in transit in accordance with health care industry best practices
- Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
- Conduct periodic vulnerability/penetration testing designed to identify, assess, and remediate vulnerabilities within Cottage’s computer network
- Train employees regarding the collection, use, and storage of patients’ medical information.
The healthcare organization is also required to complete an annual privacy risk assessment for the next two years. Cottage will explain how it is addressing its compliance with applicable privacy laws over PHI security and on the effectiveness of its information security program.