$2 Million Fine for Data Breach Affecting Nearly 55,000 Patient Records
The California Attorney General recently announced a $2 million settlement with Cottage Health System and its affiliated hospitals in California resolving allegations they failed to implement basic, reasonable safeguards to protect patient medical information.
According the announcement, the Attorney Generalâ€™s Office alleged that one of Cottage Health Systemâ€™s servers with medical records for more than 50,000 patients was connected to the internet without encryption, password protection, firewalls, or permissions that would have prevented unauthorized access. In 2015, during the Attorney Generalâ€™s investigation of the first breach, Cottage Health experienced a second data breach in which the records for 4,596 patients became accessible online for nearly two weeks. The Attorney Generalâ€™s Office alleged that Cottageâ€™s security failures violated Californiaâ€™s Confidentiality of Medical Information Act and Unfair Competition Law, as well as the federal Health Insurance Portability andÂ Accountability Act (HIPAA).
Attorney General Becerra stressed the importance of safeguarding patient medical information: â€śWhen patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed. The law requires health care providers to protect patientsâ€™ privacy. On both of these counts, Cottage Health failed.â€ť
In order to settle the allegations, Cottage Health agreed to:
- Pay a $2 million penalty
- Upgrade its data security practices
- Implement â€śreasonableâ€ť security policies and procedures
- Designate an employee to serve the capacity of a Chief Privacy Officer
- Complete periodic risk assessments
For more information on this settlement, visit https://oag.ca.gov/media/news.
If you have any questions, please feel free to contact us by email: [email protected] or by phone: 855-427-0427.