California Attorney General’s Office Fines Cottage Health $2 Million

by | Dec 2, 2017

Cottage Health will pay $2 million to settle a number of HIPAA violations in relation to state and federal laws.

The group, located in Santa Barbara, was reviewed by the California attorney general’s office due to a breach of confidential patient data during 2013. The breach was identified by Cottage Health on December 2, 2013, when someone got in touch with the healthcare network and left a message on its voicemail system saying that sensitive patient information had been indexed by the search engines and was publicly available via Google.

The sensitive information of in excess of 50,000 patients was available on the Internet, without any need for authentication such as a secure password and the server on which the information was stored was not safeguarded by a firewall. The types of information available included names, medical histories, diagnoses, prescriptions, and lab test results. The server had also been accessed by other people, in addition to the person who alerted the group, during the time that it was unsecured.

As is required under state legislation, state attorney general Kamala D. Harris was made aware of the incident. Two years later, while the attorney general’s office was looking into the incident, Cottage Health encountered a second breach. The second breach included the records of 4,596 patients, and similarly, were accessible online without any need for authentication.

The sensitive information was accessible for almost two weeks before the flaw was identified and protections put in place to stop unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record details, account credentials, employment information, Social Security numbers, and admission and discharge figures.

Cottage Health argues that while both incidents lead to the exposure of patient data, there are is nothing to suggest any patient information was used inappropriately. The breaches lead to Cottage Health to audit its information security controls and enhance its policies, procedures, and security protections to prevent similar violations from occurring going forward. In each instance, the health network’s security teams moved quickly to restrict harm and secure the exposed data. New system monitoring tools have now been put in place, and advanced security solutions have been adapted that allow weaknesses to be identified and mitigated much more quickly.

The response to the breach may have been quick, reasonable and adequate, and protections now far improved, but it is the lack of security measures leading up to the data breaches that warranted a fine. The California state attorney general’s office claims that Cottage Health violated California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also breached. The complaint states, “Cottage failed to employ basic security safeguards.” Cottage Health was running old software, patches were not applied properly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not carried out.

Making the settlement public , California Attorney General Xavier Becerra commented, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

Along with the $2 million settlement, Cottage Health is obligated to update and maintain information security measures and ensure security practices and procedures match best practice sector standards.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy