Santa Barbara’s Cottage Health reached a $2 million settlement with the California Attorney General’s Office on Wednesday regarding two breaches of patient-record security, one of which lasted three years. More than 55,000 patient records were available online during two separate periods, unprotected by firewalls or passwords. The settlement requires Cottage to upgrade data security and hire a Chief Privacy Officer.
According to the complaint filed in Santa Barbara Superior Court, surgical records of more than 50,000 patients were openly available on Cottage data servers between 2011 and 2013, including names, addresses, dates of birth, and medical information. Google accessed the information hundreds of times, making the data available to anyone who searched. It was an Arizona man researching on Google who notified Cottage in December 2013 that he could see medical records, which must be kept confidential by law. Cottage “was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII [personally identifying information], and failing to conduct regular risk assessments, among other things,” the complaint alleges.
The second breach occurred over two weeks in 2015. This time, the lack of a server firewall exposed 4,596 patient records to online searches, including names, addresses, social security numbers, and employment information, the complaint states.
In a statement, Cottage Health, which operates hospitals in Santa Barbara, Goleta, and Santa Ynez, said: “Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way. … Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.”
Cottage faced as much as $275 million in penalties if the state had won at trial.