Cottage Health Settles with OCR for $3M

Robinson+Cole Data Privacy + Security Insider

We previously reported that Cottage Health, a health care entity operating several hospitals in California, settled with the State of California for $2 million for a security incident that occurred in 2013. On February 7, 2019, the Office for Civil Rights (OCR) issued a press release that it settled HIPAA violations in December, 2018 with Cottage Health, including two security incidents—one in 2013 and one in 2015.

The security incident in 2013 occurred when the protected health information of patients was accessible over the internet when a server was not secured, compromising the names, addresses, dates of birth, diagnoses, lab tests and treatment information of the patients. The security incident in 2015 occurred when IT personnel were troubleshooting, and protection on a server was removed during the troubleshooting, which allowed patients’ information, including names, addresses, dates of birth, Social Security numbers, diagnoses and treatment information to be accessible on the internet without a username and password.

The OCR further alleged that Cottage Health failed to enter into a business associate agreement with a contractor to which it forwarded protected health information.

In addition to the settlement amount of $3 million, Cottage Health has agreed to enter into a three year Corrective Action Plan, which includes completion of an organizational-wide risk analysis, the development and implementation of organization-wide policies and procedures and the training of staff members on the newly implemented policies and procedures.

This last settlement in December makes 2018 a banner year for the OCR—with the largest amount of settlements in its history—eleven–totaling $28,683,400.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.