Cottage Health, the Santa Barbara-based healthcare provider, will pay $2 million to resolve multiple violations of state and federal laws as per a directive from the California attorney general’s office.
The group was examined by the California attorney general’s office in relation to a breach of private patient data back in 2013. The breach of data was found by the organization on December 2, 2013, when someone made the healthcare network aware of it that fact, using the voicemail warning system, that sensitive patient information was listed by the search engines and was available for everyone via Google.
Over 50,000 patients had their sensitive information available online, without authentication requirements such as a password and the server on which the information was stored was not secured using a firewall. Information exposed included names, medical histories, diagnoses, medical prescriptions, and laboratory test results. The Cottage Farm server had been accessed by other people for the duration that it was unsecured, in addition to the individual who alerted them to the breach.
The violation incident was reported to state attorney general Kamala D. Harris, in line with state laws requirements. Just over two years later, while the attorney general’s office was looking into the incident, Cottage Health had a second breach. This (second) breach affected the records of 4,596 people who, similarly, has their data exposed and accessible online without any need for secure authentication.
The private personal information was accessible for a duration of almost two weeks before the weakness was identified and security measures were implemented to stop unauthorised access of their network. The information accessible in the second breach incorporated personally identifiable information and protected health information including as names, addresses, medical record numbers, account histories, employment information, Social Security credentials and admission and discharge details.
Cottage Health believes that, despite both incidents resulting in the exposure of patient data, there is no reason to think any patient information was used inappropriately. The breaches lead to Cottage Health completing an audit of its information security controls and bolstering its policies, procedures and security policies to prevent similar breaches from happening in the future. In each scenario, the health network’s security teams acted rapidly to limit damage and secure the exposed information. New system reviewing tools have now been put in place, and the latest security solutions have been added to allow vulnerabilities to be identified and mitigated much more speedily.
The reaction of Cottage Health to the breach may have been reasonable and appropriate, and resulted in better protections being implemented, but it is the lack of protections prior to the data breaches that lead a financial penalty being applied.
The California state attorney general’s office ruled that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also broken. The complaint stated, “Cottage failed to employ basic security safeguards.”
Cottage Health was running obsolete software, patches were not applied correctly, default configurations had not been amended, strong passwords were not implemented, access to sensitive PII was not restricted, and regular risk assessments were not completed.