A California hospital system has come under fire from the state’s Attorney General following a pair of breaches of electronic health records systems. According to the authorities, one of the security lapses allowed the records to remain exposed for three years.
Cottage Health, based in Santa Barbara, recently settled with the state, agreeing to a $2 million fine, an upgrade to system security, and the hiring of a chief privacy officer. Had the state’s legal action gone to trial, Cottage Health could have been on the hook for as much as $275 million in penalties.
Court filings claimed Cottage Health allowed the records of more than 50,000 patients to be flagrantly exposed. According to a news report in the Santa Barbara Independent, the problem was brought to the attention of the authorities by an Arizona man who accessed private records using a simple Google search. It’s believed those records were completely accessible from 2011 to 2013.
Another instance occurred in 2015, when over 4,500 records were similarly exposed due to the absence of a working firewall on a Cottage Health server.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” California Attorney General Xavier Becerra said in a statement announcing the settlement. “The law requires healthcare providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”
Cottage Health representatives insist they acted quickly to rectify security lapses when they were discovered. They also maintain there is no evidence any of the exposed medical records were accessed with malicious intent.
A civil lawsuit was previously brought against Cottage Health on behalf of patients impacted by the breach. The hospital system settled that lawsuit for $4.1 million.
According to the Cottage Health website, the provider operates 23 hospitals and other healthcare facilities across Southern California.
Filed Under: Industry regulations