California Medical Facility Owes $2M After Reaching Settlement with the State
Cottage Hospital was the victim of a breach that lasted a whopping three years. From 2011 to 2013, a security breach left 50,000 patient records exposed to anyone and everyone who completed a basic Google search. The information available online included patient names, addresses, dates of birth, and medical information.
The information was available until an Arizona man came across the data online. He then notified Cottage Hospital of the data he found. According to the Santa Barbara Independent, the information was available due the hospital
“running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII [personally identifying information], and failing to conduct regular risk assessments, among other things.”
Just two years later, another breach occurred. This time, the breach only lasted two weeks and exposed under 5,000 patient records. However, the victims had more information exposed, including:
- Social security numbers
- Employment information
- Complaint states
The information was available to basic online searches, this time, due to the lack of a server firewall.
Due to these two breaches, the State of California and Cottage Hospital ended up in a lawsuit. Cottage Hospital settled for $2 million dollars, which may seem like a lot. However, if the State had won, the hospital would have been looking at upwards of $245 million in penalties.