Case 992789: $2M Settlement with California Attorney General and Cottage Health Data Over Exposure of Patient Records



This case (992789) in which unencrypted health data allegedly exposed patient information is documented in Advisen’s Cyber Loss Data

The defendants are Cottage Health, Goleta Valley Cottage Hospital, Santa Barbara Cottage Hospital, and Santa Ynez Valley Cottage Hospital (in aggregate referred to as Cottage Health).

In December 2013, Cottage Health was notified that patient information was discoverable on the web. This was because a company server containing medical records of more than fifty-thousand patients was viewable online without need of decryption or a password. The data was not protected by firewalls, or by permissions that would have prevented bad actors from retrieving the sensitive material.

In 2015, while the Attorney General investigated the 2013 incident, Cottage Health sustained a data breach. This time records for 4,596 patients were visible on the web for nearly two weeks.

On November 21, 2017, in the Superior Court of the State of California for the County of Santa Barbara, the Attorney General’s Office stated that Cottage Health had violated California’s Confidentiality of Medical Information Act (CMIA) and Unfair Competition Law (UCL). The California Attorney General, Xavier Becerra, announced a $2 million settlement on November 22, 2017 with Cottage Health.

Under the settlement, Cottage Health is required to pay a $2 million penalty and upgrade its data security practices.
Cottage Health is required to protect patient information from unauthorized access and disclosure.
Cottage is also ordered to sustain information security standards for the healthcare industry.
Finally, Cottage must retain an employee to work as Chief Privacy Officer tasked with the regular assessment of risk.


Company Data

Cottage Health is headquartered in the United States.
Its SIC code is 8399 – Social Services, Nec.
Its NAICS code is 81312 – Voluntary Health Organizations.



Advisen data consists of publicly verifiable source material.

License Advisen’s cyber loss data to gain access to other losses associated with this and other companies, including clash events. Advisen’s loss database includes more than 55,000 cyber events. This loss data is housed in a structured, relational database, and is mapped to the appropriate company from our database of over 20 million insureds. Learn more about Advisen’s cyber loss data.