Cottage Health System, a California not-for-profit healthcare system, will pay $2 million to settle allegations that it failed to protect patient medical information. The settlement comes after two separate Cottage data breaches caused more than 50,000 patients' medical information to be leaked online.
With the settlement, Cottage is required to upgrade its data security practices and develop an information security program, according to a prepared statement. Cottage also must designate an employee to serve as its chief privacy officer to perform periodic risk assessments.
Cottage initially was notified in December 2013 that its patients' confidential medical information was viewable online, California Attorney General Xavier Becerra stated. At this time, one of Cottage's servers with medical records for more than 50,000 patients was connected to the internet without encryption, firewalls, password protection or permissions.
In 2015, Cottage experienced a second data breach and leaked 4,596 patient medical records online for nearly two weeks, Becerra noted. Cottage's security failures violated California's Confidentiality of Medical Information Act and Unfair Competition Law and the Health Insurance Portability and Affordability Act (HIPAA).
Cottage includes healthcare providers that serve patients in San Luis Obispo, Santa Barbara and Ventura counties. The health system admitted more than 19,500 patients last year.
Do Healthcare Providers Prioritize Cybersecurity?
The Cottage data breaches highlight the potential impact of cyberattacks on healthcare systems. Meanwhile, many healthcare providers are prioritizing cybersecurity, which is reflected in a recent survey of 126 healthcare professionals conducted by the Healthcare Information and Management Systems Society (HIMSS).
Key findings from the "2017 HIMSS Cybersecurity Survey" included:
- 87 percent of respondents conduct security awareness training classes for their staff at least once a year.
- 80 percent employ cybersecurity staff.
- 60 percent retain a senior cybersecurity leader, such as a chief information security officer (CISO).
Global healthcare cybersecurity spending could surpass $65 billion cumulatively between 2017 and 2021, cybercrime research firm Cybersecurity Ventures indicated. As healthcare providers search for cybersecurity solutions, they may choose MSSPs that can deliver cloud support.
A survey of 180 healthcare professionals conducted by cloud services company Evolve IP revealed 81 percent of respondents said they plan to leverage new or additional cloud services in the next three years. In addition, the survey showed that healthcare professionals often deploy cloud security services to protect sensitive data against cyberattacks, environmental disasters and hardware failures.