Cottage Health, a health providers based in Santa Barbara, has settled for $2 million with California attorney general’s office. Cottage Health was investigated by the attorney general’s office for multiple violations of state and federal laws following a data breach at the facility.
The breach of confidential patient data in occurred in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines. The protected healthcare information (PHI) of Cottage Health’s patients was freely available via Google.
Around 50,000 patients were found to be affected by the breach. The data was available online without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. Names, medical histories, diagnoses, prescriptions, and lab test results of patients was included in the data compromised in the breach. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.
As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Attorney General Harris ordered her office to investigate the breach. Two years later, while the attorney general’s office was still investigating the incident, Cottage Health experienced a second, smaller breach. The second breach involved the records of 4,596 patients. Similar to the 2013 breach, the PHI was accessible online without any need for authentication.
The information was left exposed online for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.
Cottage Health claims that while both incidents resulted in the exposure of patient data, none of the people affected by the breach has reported that their data had been used maliciously. Cottage Health themselves launched an investigation, and failed to find any indication to suggest patient information was used inappropriately.
The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.
Although Cottage Health acted appropriately following each breach, their lack of safeguards which allowed the breach to occurred was penalised by the Attorney General. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.”
The attorney general’s investigation found that Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.
Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”
In addition to the financial penalty, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.
Specifically, the judgement requires Cottage Health to assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information. Cottage Heath is required to update access controls and security settings as appropriate, in compliance with HIPAA Rules. Furthermore, they are required to encrypt patients’ medical information in transit to industry standards to prevent it being exposed to unauthorised individuals again.
The judgement further stipulates that the organisation needs to evaluate the response to and protections from external threats, including firewall security. Cottage Health will be required to maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan. Finally, Cottage Health must train its employees on the correct use and storage of patients’ medical information, and ensure they know how to properly implement the safeguards to ensure HIPAA compliance is maintained.