Leaving protected health information on the Internet costs Cottage Health $2 million
Cottage Health System in California, with three acute care hospitals and a variety of ancillary facilities, has agreed to pay a $2 million settlement and implement corrective actions after the organization twice had protected health information freely available on the Internet for extended periods of time.
The settlement, imposed by California Attorney General Xavier Becerra, resolves charges Cottage Health did not implement basic and reasonable safeguards to protect patient data.
From 2011 through 2013, more than 50,000 Cottage patients had their personal identifying information and electronic personal health information assessable and searchable online according to the complaint filed by Becerra. The compromised information included medical history, diagnosis, lab results and medications.
“Cottage had failed to adequately secure this information, resulting in this data being indexed by Google and viewable in public searches,” Becerra charged.
Again in 2015, more than 4,500 patients had their protected information accessible and searchable, including medical record number, account number, name, address, Social Security number, employment information, admit and discharge dates and other personal information, with more patient data being indexed by Google and viewable in searches.
“Cottage’s data breaches were symptoms of its system-wide data security failures, Becerra asserts in the settlement agreement. “Cottage failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.”
Among other security improvements imposed on Cottage Health, the organization must designate a chief privacy officer and complete periodic risk assessments. There also is plenty of remediation work to be done.
Medical records stored on an internet-connected FTP server were not encrypted, not protected by a password, not secured behind a firewall, and did not have file access permissions configured to prevent unauthorized access, according to the settlement agreement. “This server also allowed access via an anonymous username, meaning the files could be accessed without a verified username and password.”
In December 2013 an individual doing an internet search on Google found medical records on Cottage’s server and notified the organization, which then determined 50,000 records were unprotected.
“Because anonymous access was enabled on Cottage’s server and it lacked other basic security safeguards, the data was exfiltrated off the server hundreds of times,” according to the settlement agreement.
In November 2015, Cottage discovered another server that was accessible on the Internet had been indexed by search engines and was unprotected for several weeks. This finding disclosed a second data breach affecting 4,596 Cottage patients with exposed sensitive protected information.
Consequently, the complaint against Cottage Health which led to the settlement charged the organization with violating three laws with required policies imposed on the organization to protect health information.
Cottage Health now must develop and implement remediation policies and procedures covering unauthorized access, authentication by electronic signature keys, systems maintenance, reasonable and appropriate administrative, technical and physical safeguards, and also must reasonably anticipate threats or other hazards to information security and integrity.
Cottage Health issued the following statement:
"This settlement involves unrelated data incidents that occurred in 2013 and 2015. Once we learned of the incidents, our information security team worked to provide resolutions. There is no indication that data was used in any malicious way.
"At Cottage Health, we have used this learning to strengthen our system security layers for improved detection and mitigation of vulnerabilities. Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.
"We value the trust of our community and are committed to continuous advances in technology that enable us to protect patient privacy while providing authorized care providers the timely and effective data needed for medical treatments."