Cottage Health System has settled a state enforcement action over two separate data breaches that made more than 50,000 patients’ medical information publicly available online. The no-fault settlement requires Cottage Health System to:

  • Pay $2 million to the California Attorney General’s office.
  • Take steps to update its health care information security program for the next three years.
  • Designate an employee to oversee Cottage Health System’s compliance with state and federal privacy laws.
  • Complete and deliver an annual privacy risk assessment for the next two years to the California Attorney General’s Office.

Cottage Health System is a not-for-profit system based in Santa Barbara, California and includes Cottage Health, Goleta Valley Cottage Hospital, Santa Barbara Cottage Hospital, and Santa Ynez Valley Cottage Hospital. The health system first learned in December 2013 that 50,000 patients’ confidential medical information was publicly viewable online. During the attorney general’s investigation of that 2013 incident, the attorney general’s office discovered a second breach involving 4,596 patient records which were also publicly available online.

“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” said State Attorney General Xavier Becerra in a press statement announcing the settlement “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

This settlement shows that the California Attorney General’s Office will continue to enforce cybersecurity for Californians, including in the health care space. It also serves as a reminder to health care providers to be compliant with both federal and state health care privacy and security requirements.

The full settlement is available on the State of California’s Attorney General website.