$2 Million Fine for Data Breach Affecting Nearly 55,000 Patient Records
The California Attorney General recently announced a $2 million settlement with Cottage Health System and its affiliated hospitals in California resolving allegations they failed to implement basic, reasonable safeguards to protect patient medical information.
According the announcement, the Attorney General's Office alleged that one of Cottage Health System's servers with medical records for more than 50,000 patients was connected to the internet without encryption, password protection, firewalls, or permissions that would have prevented unauthorized access. In 2015, during the Attorney General's investigation of the first breach, Cottage Health experienced a second data breach in which the records for 4,596 patients became accessible online for nearly two weeks. The Attorney General's Office alleged that Cottage's security failures violated California's Confidentiality of Medical Information Act and Unfair Competition Law, as well as the federal Health Insurance Portability and Accountability Act (HIPAA).
Attorney General Becerra stressed the importance of safeguarding patient medical information: "When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed. The law requires health care providers to protect patients' privacy. On both of these counts, Cottage Health failed."
In order to settle the allegations, Cottage Health agreed to:
- Pay a $2 million penalty
- Upgrade its data security practices
- Implement "reasonable" security policies and procedures
- Designate an employee to serve the capacity of a Chief Privacy Officer
- Complete periodic risk assessments
For more information on this settlement, visit https://oag.ca.gov/media/news.
If you have any questions, please feel free to contact us by email: [email protected] or by phone: 855-427-0427.