Cottage Health agrees to $3M HIPAA settlement

Santa Barbara, Calif.-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information.

Cottage Health, which operates four hospitals in California, notified HHS' Office for Civil Rights about two breaches of unsecured electronic protected health information — one in December 2013 and another in December 2015 — affecting more than 62,500 individuals.

The first breach occurred when the security configuration settings of the health system's Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health's server.

The second breach, which also reportedly exposed unsecured ePHI over the internet, occurred after a server was misconfigured in response to an IT troubleshooting ticket.

During its investigation, OCR determined that Cottage Health had failed to perform periodic evaluations in response to operational changes affecting the security of ePHI and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf, among other issues.

"The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during and after implementation covered entity makes system changes," OCR Director Roger Severino said in a news release.

In an emailed statement to Becker's Hospital Review, a Cottage Health spokesperson said: "This settlement involves data incidents that occurred in 2013 and 2015. Since that time Cottage Health has completed a third-party audit of data systems and implemented additional measures to secure private information. We are committed to ongoing advances in data security."

To read Cottage Health's corrective action plan, click here.

More articles on cybersecurity:
Record-breaking $28M in HIPAA settlements reached in 2018
Apple CEO to Congress: It's time to step in, protect our privacy
Eye clinic notifies 24,000 patients of ransomware attack

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months