California Attorney General Xavier Becerra has slapped Cottage Health System with $2 million in fines for a pair of breaches.
“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra said in a statement. “The law requires healthcare providers to protect patients' privacy. On both of these counts, Cottage Health failed.”
In the first breach, which occurred in 2013, an unencrypted server without basic security like password protection and firewalls made the records of 50,000 patients accessible online.
The second, in 2015, resulted in the records of 4,596 patients being accessible online for almost two weeks.
“This case is especially troubling because it was so preventable,” said AlertSec CEO Ebba Blitz. “HIPAA regulations have long since outlined basic provisions to keep data secure. Data must be encrypted. There is no excuse.”
Organizations that don't harden their security “are walking a tightrope – and while they may be fined, it's the individuals whose data is exposed that ultimately pay the price,” said Blitz.
The settlement also requires Cottage Health to improve its security practices and designate a Chief Privacy Officer as well as conduct risk assessments periodically.