Cottage Health Pays $2M to CA AG for Data Breach

Robinson+Cole Data Privacy + Security Insider

Cottage Health, a three hospital health care system located in California has agreed to pay the California Attorney General’s Office $2 million to settle allegations that it failed to implement data security safeguards to protect patients’ health information that was accessible online and indexed by search engines.

In December 2013, it was discovered that one of Cottage Health’s servers was connected to the Internet without encryption, password protection, firewalls or access controls, which exposed health information of 50,000 patients between 2011 and 2013.

Then on November 8, 2015, when state authorities were investigating the first incident, the hospital’s server was misconfigured and the medical records of 4,596 were publicly available.

According to the California Department of Justice, Cottage Health violated the California Confidentiality of Medical Information Act and Unfair Competition Law by failing to keep the information secure. It stated that “Cottage Health failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.” Sounds like a data security roadmap.

In addition to the payment of the $2 million fine, Cottage Health is required by the settlement to hire a data privacy and security officer to develop and maintain appropriate policies and procedures and perform annual privacy risk assessments.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.