California healthcare provider gets $2 million penalty for leaking 50,000 patient records

Not-for-profit Cottage Health System has agreed to pay the state of California $2 million for suffering multiple data breaches between 2013 and 2015. Taking a leaf from the EU’s playbook, the state of California is demanding that the healthcare institution appoint a Chief Privacy Officer – the equivalent of a Data Protection Officer stipulated by European law.

In December 2013, Cottage Health System suffered a breach that compromised the health information of 50,000 patients. While the Attorney General’s office was investigating the first breach two years later, the healthcare provider suffered a second breach and more than 5,000 new records were leaked online.

A press release issued this week by the Office of the Attorney General confirms that Cottage Health has reached an agreement with the State of California to pay $2 million for its repeated blunders involving patient health information (PHI).

“When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” said California Attorney General Xavier Becerra. “The law requires health care providers to protect patients' privacy. On both of these counts, Cottage Health failed.”

Besides paying $2 million, Becerra said Cottage Health must:

• upgrade its data security practices
• protect patients’ medical information from unauthorized access and disclosure
• maintain an information security program that meets reasonable security practices and procedures for the health care industry
• designate an employee to serve as a Chief Privacy Officer
• complete periodic risk assessments

The rules imposed by the State of California onto Cottage Health closely resemble the European Union’s compliance requirements for the General Data Protection Regulation (GDPR).

Specifically, the European law demands that all companies processing user data appoint a Data Protection Officer in charge as a liaison between the organization and authorities.

The GDPR will take effect May 2018 and will apply to every organization processing “personally identifiable information” of EU residents, including those organizations with offices outside the European Union.