Cottage Health has agreed to pay a $3,000,000 settlement to the Department of Health and Human Services’ Office for Civil Rights (OCR) for two data breaches resulting from HIPAA violations.
Cottage Health is a non-profit health provider based in Santa Barbara, California. The organisation operates four hospitals-Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital.
The two data breaches occurred within two years of each other. The first breach was discovered in 2013 when an anonymous individual left a message on Cottage Health’s voicemail system warning them that the search engines had indexed sensitive patient information. The protected healthcare information (PHI) of Cottage Health’s patients was freely available via Google.
Around 50,000 patients were found to be affected by the breach. The data was available online without any need for authentication such as a password, and a firewall did not protect the server on which the information was stored. Names, medical histories, diagnoses, prescriptions, and lab test results of patients were included in the data compromised in the breach. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.
While the 2013 breach was being investigated by the then Californian Attorney General Kamala Harris, a second breach occurred in 2015. This breach was again attributed to server misconfiguration, and PHI was readily available over the internet with no need for authentication. Unauthorised individuals could access patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information.
The information was left exposed online for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The 2015 data breach was smaller than the previous breach, with only 4,500 people affected.
Cottage Health has already paid a $2 million settlement to the Californian Attorney General’s office for the violations in state and federal law which lead to the data breaches.
In addition to the Attorney General’s inquiry into the breaches, OCR launched their investigation. The aim was to assess Cottage Health’s efforts to comply with HIPAA both before and after the discovery of the breach. OCR determined that Cottage Health had failed to conduct a comprehensive, organisation-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).
The inquiry found that risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).
Cottage Health had not conducted regular technical and non-technical evaluations following environmental or operational changes, which violated 45 C.F.R. § 164.308(a)(8).
OCR also discovered Cottage Health failed to enter a business associate agreement (BAA) with a contractor that maintained ePHI, as required by HIPAA Rules. This violated 45 C.F.R. § 164.308(b) and 164.502(e).
In addition to paying the fine, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive risk analysis across all of their operations to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.
Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules. Staff must receive training on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.
“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”