Cottage Health, a three hospital health care system located in California has agreed to pay the California Attorney General’s Office $2 million to settle allegations that it failed to implement data security safeguards to protect patients’ health information that was accessible online and indexed by search engines.

In December 2013, it was discovered that one of Cottage Health’s servers was connected to the Internet without encryption, password protection, firewalls or access controls, which exposed health information of 50,000 patients between 2011 and 2013.

Then on November 8, 2015, when state authorities were investigating the first incident, the hospital’s server was misconfigured and the medical records of 4,596 were publicly available.

According to the California Department of Justice, Cottage Health violated the California Confidentiality of Medical Information Act and Unfair Competition Law by failing to keep the information secure. It stated that “Cottage Health failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.” Sounds like a data security roadmap.

In addition to the payment of the $2 million fine, Cottage Health is required by the settlement to hire a data privacy and security officer to develop and maintain appropriate policies and procedures and perform annual privacy risk assessments.