I have written about the troubles of Cottage Health System in California. They were breached and the protected Health Information of at least 32,000 patients was compromised.
The situation was that they had outsourced the storage of patient records to InSync, which by itself is not a problem, but InSync made this data available on the Internet, unencrypted, where it was indexed by Google.
$4 million later, the hospital submitted bills to their insurance company, which paid the bills.
The insurance company later came back and said that the hospital lied when it filled out a risk control questionnaire and as a result, they want their money back. Plus expenses and legal fees. That is going back and forth and will probably be settled in private.
Now the California Attorney General has decided that Cottage broke the law by exposing patient data in two breaches, including the one above.
The state is fining Cottage $2 million (which their insurance carrier is not likely to pay) and also requiring them to make a number of changes to their previously non-existent cyber security program. This includes risk assessments, vulnerability scans, training, policies and several other items.
The state said:
“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,”
Had Cottage not lied on their insurance questionnaire, the carrier would likely have paid for all of this making Christmas much merrier for the hospital administration.
Of course, if they had a good cyber security program they might not even have gotten breached, which would have been good news all around.
Cottage Health is not some huge organization, so having to come up with $6 million plus spending money on doing the things the state is making them do will probably put a significant crunch on their finances.
And it started from the hospital administration not doing what they said they were doing, on the insurance risk questionnaire.