The federal government's data privacy and security
enforcement efforts have slowed down in the latter half of 2017,
but some states are picking up the slack. On November 22, the
California Attorney General announced a $2 million settlement with
Cottage Health System, based in Santa Barbara, to resolve two data
breach incidents in which more than 50,000 patients' records
were publicly exposed online.
In the first incident, discovered in 2013, one of Cottage's
servers was connected to the internet with no password protection
or encryption, leaving medical records vulnerable to unauthorized
access and even searchable online. The second breach, discovered in
2015, was similar and exposed the records of 4,596 more patients.
The Attorney General's complaint claimed that Cottage
"failed to employ basic security safeguards, leaving
vulnerable software unpatched or out-of-date, using default or weak
passwords, and lacking sufficient perimeter security, among many
other problems."
In addition to the $2 million fine, Cottage is required to upgrade
its data security practices, maintain an information security
program, and complete periodic risk assessments, among other
things
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.