California Hospital Chain Agrees to $2 Million Settlement Following Breaches, Allegations of Lax Data Security

California-based hospital chain Cottage Health System recently agreed to a settlement with the state’s attorney general stemming from two separate data breaches. According to a recent press release from Attorney General Xavier Becerra announcing the settlement, the medical information of more than 50,000 patients was compromised in two separate incidents in 2013 and 2015. Under the terms of the settlement, the hospital chain must overhaul its security procedures, hire a chief privacy and security officer, conduct annual risk assessments, and pay a $2 million penalty.

According to the government’s complaint against Cottage, the hospital chain “failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.” The California Department of Justice became aware of the vulnerabilities after it was reported that one of the hospital’s servers was connected to the internet without firewalls, encryption, password protection, or other customary access controls. In response to the settlement, a Cottage spokesperson says the hospital chain has already taken steps to improve its security posture, including new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data.

TIP: This settlement is a reminder for all companies that collect, store, or transmit sensitive consumer information to review their data security protocols and procedures and to update or strengthen systems as needed to mitigate vulnerabilities.