HHS Reports Settlement on HIPAA Breach

On Feb. 7, 2019, HHS announced that its final settlement of the year occurred in December 2018, when Cottage Health agreed to pay $3,000,000 and to adopt a substantial corrective action plan to settle potential violations of HIPAA.

As background, Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital, in California. The HHS Office for Civil Rights (OCR) received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015. OCR is responsible for HIPAA enforcement and investigated the two reported breaches.

The first breach arose when ePHI on a Cottage Health server was accessible from the internet. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.

The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions and other treatment information.

OCR’s investigation into Cottage Health found that they failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
  • Perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI
  • Obtain a written business associate agreement with a contractor that maintained ePHI on its behalf

For employers, this decision is a great reminder that the OCR is actively pursuing HIPAA violations, especially those issues related to data security. Employers should conduct routine risk assessments and address any discovered vulnerabilities. When a company is investigated, the OCR will likely impose penalties if a company fails to implement effective safeguards, such as data encryption, as required to protect sensitive information.

Finally, OCR concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and was granted summary judgment in a case before an Administrative Law Judge, together totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million, set in 2016, by 22 percent. In addition, OCR achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. A summary of all 2018 OCR HIPAA settlements and judgments may be found at on the HHS website’s Health Information Privacy page.

OCR Press Release »
Resolution Agreement »