Cottage Health System and its affiliated California hospitals recently agreed to a two million dollar settlement after the health system disclosed over 50,000 patients’ medical information. The settlement was announced by California Attorney General Xavier Becerra.

“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed. The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed,” said Attorney General Becerra. 

One of Cottage Health’s servers was connected to the internet without any protections from unauthorized access. This led to patient medical records being viewable online. The heath system was notified of this error in December 2013. In 2015, Cottage Health had a second data breach, resulting in the online viewing of over 4,000 patient records. The records remained online for two weeks.

Included in the terms of the settlement agreement is the requirement that Cottage Health System upgrade its data security practices. In an effort to protect medical information from unauthorized access and disclosure, Cottage Health must maintain an information security program that meets reasonable security practices and procedures for the healthcare industry. A Chief Privacy Officer will complete periodic risk assessments.