The federal government's data privacy and security enforcement efforts have slowed down in the latter half of 2017, but some states are picking up the slack. On November 22, the California Attorney General announced a $2 million settlement with Cottage Health System, based in Santa Barbara, to resolve two data breach incidents in which more than 50,000 patients' records were publicly exposed online.

In the first incident, discovered in 2013, one of Cottage's servers was connected to the internet with no password protection or encryption, leaving medical records vulnerable to unauthorized access and even searchable online. The second breach, discovered in 2015, was similar and exposed the records of 4,596 more patients. The Attorney General's complaint claimed that Cottage "failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems."

In addition to the $2 million fine, Cottage is required to upgrade its data security practices, maintain an information security program, and complete periodic risk assessments, among other things

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.