Cottage Health To Pay $2 Million For Failure to Protect Patients’ Privacy and PHI

Patient Information

Santa Barbara-based Cottage Health has agreed to pay $2 million as a financial penalty for a breach case with the California attorney general’s office. The penalty is for multiple violations of state and federal laws involving a breach of confidential patient data in 2013. Cottage Health discovered the breach on December 2, 2013 when a person left a voicemail message that informed them that their patients’ sensitive information was made freely available via Google.

The sensitive information contained the names, medical histories, lab test results, diagnoses and prescriptions of over 50,000 patients and was made available online. The information was stored on a space not protected by firewall and can be accessed without any required authentication. An unknown number of individuals have already accessed the server when it was unsecured.

Cottage Health reported the incident to state attorney general Kamala D. Harris as required by state laws. Two years after, there was another breach involving 4,596 patient records containing names, addresses, account numbers, medical record numbers, employment information, admission and discharge dates and Social Security numbers. Similarly, the information was left accessible online on unsecured storage space. It took about two weeks before the issue was discovered and the information was secured.

Cottage Health claims that both incidents did not result to any reports of patient information misuse. After the second breach, Cottage Health reviewed its security controls, policies and procedures to prevent further breaches. New system monitoring tools and advanced security solutions are now in place enabling them to react to vulnerabilities more rapidly.

Despite the protection and other responses of Cottage Health to the breach, the California state attorney general’s office still deemed it appropriate to financially penalize Cottage Health. College Health violated California’s Confidentiality of Medical Information Act, the Unfair Competition Law and HIPAA Rules. It failed to employ basic security safeguards by running outdated software, not using strong passwords, not changing default configurations, not applying patches promptly and not conducting regular risk assessments.

California Attorney General Xavier Becerra said that Cottage Health failed as a healthcare provider to protect patients’ privacy and risked exposing their personal medical information. Aside from the $2 million settlement, the judge required Cottage Health to:

  • Review hardware and software vulnerabilities to the confidentiality, integrity and availability of patient’s medical information
  • Update security settings and access controls
  • Evaluate firewall security and response to/protection from external threats
  • Encrypt patient’s medical information following industry standards
  • Maintain reasonable policies and protocols for information practices that involve data retention, security incident tracking reports, internal audits, incident management, risk assessments and remediation plans
  • Conduct periodic vulnerability scans and penetration tests
  • Conduct employee training on proper use and storage of medical information of patients