The California-based Cottage Health system has been ordered to pay $3 million in fees after the Office for Civil Rights’ (OCR) Health and Human Services (HHS) department uncovered a pair of significant HIPAA violations.

The first breach occurred in 2013 when it was discovered that security protocols had been incorrectly configured using the Windows operating system. This oversight left electronic Protected Health Information (ePHI) exposed for more than 50,000 patients. Potential intruders would have been able to access patient names, addresses, dates of birth, diagnoses, and lab results among other sensitive entries without needing a username or password.

The second happened in 2015 after an IT trouble ticket left a server improperly configured and again left the ePHI of more than 5,000 patients exposed. This time patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and treatments were all left open to access without any log-in credentials.

The affected hospitals, which all operate under the Cottage Health umbrella, include: Ynez Hospital, Cottage Rehabilitation Hospital, Santa Barbara Cottage Hospital, and Goleta Valley Cottage Hospital.

In addition to the substantial $3 million fine, Cottage Health system was required to undergo an extensive set of corrective actions to prevent future violations. Corrective measures included:

  • Develop and implement a risk-management contingency plan
  • Intensify its training program for employees that have access to PHI
  • Conduct a risk analysis across the breadth of the system

This case resolution comes as the cap to a stellar year for the OCR, which has seen a dramatic increase of more than 22 percent in penalties enforced from its previous record year back in 2016.

OCR Director Roger Severino had this to say with regards to the organization’s performance in 2018, “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action.” He then offered a cautionary statement pertaining to Cottage Health’s oversight: “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

This pair of occurrences serves as the perfect illustration for the consequences that can arise from a lapse in security protocols. HIPAA standards are put in place to protect patients as well as the organizations that serve them, which makes breaches extremely serious business. Understanding these standards is paramount in avoiding accidental breaches like those experienced by Cottage Health system. Visit HIPAAgps to learn more and try our simple-to-use, compliance system Risk Free for 7-days!