[BreachExchange] Cottage Health agrees to $3M HIPAA settlement

Destry Winant destry at riskbasedsecurity.com
Tue Feb 12 08:57:38 EST 2019


https://www.beckershospitalreview.com/cybersecurity/cottage-health-agrees-to-3m-hipaa-settlement.html

Santa Barbara, Calif.-based Cottage Health agreed to pay $3 million
and implement a corrective action plan as part of a HIPAA settlement
to resolve allegations it had unintentionally disclosed electronic
patient information.

Cottage Health, which operates four hospitals in California, notified
HHS' Office for Civil Rights about two breaches of unsecured
electronic protected health information — one in December 2013 and
another in December 2015 — affecting more than 62,500 individuals.

The first breach occurred when the security configuration settings of
the health system's Windows operating system reportedly permitted
access to files containing ePHI without requiring a username and
password. As a result, patient information was available to anyone on
the internet with access to Cottage Health's server.

The second breach, which also reportedly exposed unsecured ePHI over
the internet, occurred after a server was misconfigured in response to
an IT troubleshooting ticket.

During its investigation, OCR determined that Cottage Health had
failed to perform periodic evaluations in response to operational
changes affecting the security of ePHI and failed to obtain a written
business associate agreement with a contractor that maintained ePHI on
its behalf, among other issues.

"The Cottage settlement reminds us that information security is a
dynamic process and the risks to ePHI may arise before, during and
after implementation covered entity makes system changes," OCR
Director Roger Severino said in a news release.

In an emailed statement to Becker's Hospital Review, a Cottage Health
spokesperson said: "This settlement involves data incidents that
occurred in 2013 and 2015. Since that time Cottage Health has
completed a third-party audit of data systems and implemented
additional measures to secure private information. We are committed to
ongoing advances in data security."


More information about the BreachExchange mailing list