In December 2018, Cottage Health of California, which operates four hospitals, agreed to pay $3 million to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Rules concerning two breach reports of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals. Cottage Health reported the December 2013 and December 2015 breaches to OCR. The breaches exposed unsecured ePHI over the internet including patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results and other treatment information. OCR’s investigation revealed that Cottage Health failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf. For additional information, see the OCR Resolution Agreement and Corrective Action Plan for Cottage Health.
