Cottage Health will pay $2 million to settle a number of HIPAA violations in relation to state and federal laws.
The group, located in Santa Barbara, was reviewed by the California attorney general’s office due to a breach of confidential patient data during 2013. The breach was identified by Cottage Health on December 2, 2013, when someone got in touch with the healthcare network and left a message on its voicemail system saying that sensitive patient information had been indexed by the search engines and was publicly available via Google.
The sensitive information of in excess of 50,000 patients was available on the Internet, without any need for authentication such as a secure password and the server on which the information was stored was not safeguarded by a firewall. The types of information available included names, medical histories, diagnoses, prescriptions, and lab test results. The server had also been accessed by other people, in addition to the person who alerted the group, during the time that it was unsecured.
As is required under state legislation, state attorney general Kamala D. Harris was made aware of the incident. Two years later, while the attorney general’s office was looking into the incident, Cottage Health encountered a second breach. The second breach included the records of 4,596 patients, and similarly, were accessible online without any need for authentication.
The sensitive information was accessible for almost two weeks before the flaw was identified and protections put in place to stop unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record details, account credentials, employment information, Social Security numbers, and admission and discharge figures.
Cottage Health argues that while both incidents lead to the exposure of patient data, there are is nothing to suggest any patient information was used inappropriately. The breaches lead to Cottage Health to audit its information security controls and enhance its policies, procedures, and security protections to prevent similar violations from occurring going forward. In each instance, the health network’s security teams moved quickly to restrict harm and secure the exposed data. New system monitoring tools have now been put in place, and advanced security solutions have been adapted that allow weaknesses to be identified and mitigated much more quickly.
The response to the breach may have been quick, reasonable and adequate, and protections now far improved, but it is the lack of security measures leading up to the data breaches that warranted a fine. The California state attorney general’s office claims that Cottage Health violated California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also breached. The complaint states, “Cottage failed to employ basic security safeguards.” Cottage Health was running old software, patches were not applied properly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not carried out.
Making the settlement public , California Attorney General Xavier Becerra commented, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”
Along with the $2 million settlement, Cottage Health is obligated to update and maintain information security measures and ensure security practices and procedures match best practice sector standards.