We previously reported that Cottage Health, a health care entity operating several hospitals in California, settled with the State of California for $3 million in regard to a security incident that occurred in 2013. On February 7, 2019, the Office for Civil Rights (OCR) issued a press release that it settled HIPAA violations in December 2018 with Cottage Health, including those involving two security incidents—one in 2013 and another in 2015.

The security incident in 2013 occurred when the protected health information of patients was accessible over the internet when a server was not secured, compromising the names, addresses, dates of birth, diagnoses, lab tests, and treatment information of the patients. The security incident in 2015 occurred when IT personnel were troubleshooting, and protection on a server was removed during the troubleshooting, which allowed patients’ information, including names, addresses, dates of birth, Social Security numbers, diagnoses, and treatment information to be accessible on the internet without a username and password.

The OCR further alleged that Cottage Health failed to enter into a business associate agreement with a contractor to which it forwarded protected health information.

In addition to the settlement amount of $3 million, Cottage Health has agreed to enter into a three-year Corrective Action Plan, which includes completion of an organizational-wide risk analysis, the development and implementation of organization-wide policies and procedures, and the training of staff members on the newly implemented policies and procedures.

This last settlement in December makes 2018 a banner year for the OCR—with the largest amount of settlements in its history—11—totaling $28,683,400.