- California-based Cottage Health settled with the Department of Health and Human Services’ Office for Civil Rights for $3 million and the adoption of a corrective action plan, over two separate security incidents in 2013 and 2015 that breached the data of more than 62,500 patients.
The first breach occurred in December 2013, when Cottage Health’s server was left accessible from the internet. The OCR investigation revealed that the security configurations settings on the operating system gave access to patient health information without the need for a username or password.
The misconfiguration exposed the names, addresses, dates of birth, diagnoses, lab results, and other treatment information of more than 32,000 patients.
Two years later, Cottage Health reported another breach: this time, a server was misconfigured following an IT response to a troubleshooting ticket. The mistake exposed unsecured ePHI over the internet, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, and other treatment details.
OCR officials launched an investigation into the events and determined Cottage Health failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities around ePHI confidentiality and integrity.
Further, OCR found that Cottage Health failed to implement security measures “sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” The provider also did not perform periodic evaluations in response to operational and environmental changes that would impact ePHI.
Cottage Health also failed to obtain a written business associate agreement with a contractor that maintained ePHI.
As a result, in addition to the $3 million settlement, Cottage Health must also abide by a corrective action plan. Among steps to bolster its security program and policies, the provider must conduct a thorough assessment of the risks and vulnerabilities to ePHI, including a complete inventory of all ePHI maintained by Cottage Health.
The risk analysis must be provided to OCR within 180 days. Within 90 days of receipt, OCR will determine whether it agrees with the assessment – along with recommendations and or comments. The assessment must be reviewed annually.
Cottage Health must also develop an enterprise-wide risk management plan, which will include a process and timeline for the implementation, evaluation, and revision of its risk remediation activities. The health system already settled with California for these breaches in November 2017 for $2 million.
OCR’s settlement with Cottage Health was agreed to in December 2018, which closed out what officials said was a record year for HIPAA enforcement. OCR agreed to 10 settlements and one summary judgement, for a total of $23.5 million – including the largest individual HIPAA settlement in history for $16 million with Anthem.
“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” OCR Director Roger Severino, said in a statement. “Information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”