Santa Barbara's Cottage Health reached a $2 million settlement with the California Attorney General's Office on Wednesday regarding two breaches of patient-record security, one of which lasted three years. More than 55,000 patient records were available online during two separate periods, unprotected by firewalls or passwords. The settlement requires Cottage to upgrade data security and hire a Chief Privacy Officer.
According to the complaint filed in Santa Barbara Superior Court, surgical records of more than 50,000 patients were openly available on Cottage data servers between 2011 and 2013, including names, addresses, dates of birth, and medical information. Google accessed the information hundreds of times, making the data available to anyone who searched. It was an Arizona man researching on Google who notified Cottage in December 2013 that he could see medical records, which must be kept confidential by law. Cottage "was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII [personally identifying information], and failing to conduct regular risk assessments, among other things," the complaint alleges.
The second breach occurred over two weeks in 2015. This time, the lack of a server firewall exposed 4,596 patient records to online searches, including names, addresses, social security numbers, and employment information, the complaint states.