More than 50,000 patients’ records were exposed online in 2013 and 2015 due to faulty data-protection practices, according to California’s attorney general.

A Santa Barbara healthcare system has agreed to a $2 million fine and to better safeguard patient information following a series of data breaches that exposed confidential information on about 50,000 patients.

The fine, announced last week by the California attorney general’s office, is part of the settlement reached with Cottage Health System and its affiliated hospitals in California for data breaches that occurred between 2013 and 2015.

The data breaches occurred because Cottage Health was running outdated software, failed to apply security patches, used weak password protection and misconfigured server settings.

California Attorney General Xavier Becerra says Cottage Health System failed to adequately protect patient records on two occasions. Cottage was notified in December 2013 that patients’ confidential medical information was viewable online. One of the company’s servers with medical records for more than 50,000 patients was connected to the internet without encryption, password protection, firewalls, or permissions that would have prevented unauthorized access, according to the California attorney general’s office.

In 2015 Cottage Health experienced a second data breach in which the records for 4,596 patients became accessible online for nearly two weeks. The security failures violated California’s Confidentiality of Medical Information Act and Unfair Competition Law, as well as the federal Health Insurance Portability and Affordability Act, says the California attorney general.

Under the settlement, Cottage Health will pay a $2 million penalty and upgrade its data security practices. Cottage Health is required to protect patients’ medical information from unauthorized access and disclosure and to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry. Cottage Health also must designate an employee to serve in the capacity of a chief privacy officer and to complete periodic risk assessments, the state says.


“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra says. “The law requires healthcare providers to protect patients’ privacy and on both of these counts, Cottage Health failed.”

From 2011 through 2013, over 50,000 of patients at Cottage Health had their personally identifiable information and electronic personal health information—including medical history, diagnosis, laboratory test results, and medications—exposed and made searchable online, the state says. In 2015, about 5,000 Cottage patients had their medical record number, account number, name, address, Social Security Number, employment information, admit and discharge dates, and other personal information—exposed and made searchable online.

The data breaches occurred because Cottage Health was running outdated software, failed to apply security patches, used weak password protection and misconfigured server settings that allowed private patient data to be indexed and published in search results on Google and other search engines, the state says.

Cottage Health, which operates Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital, Cottage Rehabilitation Hospital, Santa Ynez Valley Cottage Hospital and Cottage Children’s Medical Center, has yet to talk publicly about the settlement.

Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.