Cottage Health has agreed to pay $3M to the Office for Civil Rights (OCR) to settle HIPAA violations.

Cottage Health, which operates several hospitals, agreed to pay the fine and implement a corrective action plan in the wake of an investigation into the breaches that affected a total of 62,500 individuals. The California attorney general had reached a $2 million settlement with Cottage Health earlier. In the latest settlement, the department Health and Human Services (HHS) details the latest $3 million HIPAA settlement for the healthcare provider related to two breaches.

The first of the two Cottage Health breaches, occurred in 2013 and affected more than 50,000 patients. This breach occurred when electronic protected health information (ePHI) on a server was made publicly accessible on the internet.

The second breach occurred in 2015, and impacted more than 5,000 individuals. The breach occurred when a server was mis-configured following an IT response to a troubleshooting ticket and exposed unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions and other treatment information, the agency notes.

OCR’s investigation revealed several compliance issues for Cottage Health including:

• Failing to conduct an accurate and thorough risk assessment
• Failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
• Failing to perform periodic technical and non-technical evaluations of ePHI security
• Failing to execute a business associate agreement (BAA) with a contractor that maintained ePHI on its behalf

In addition to the $3 million settlement, Cottage will undertake a corrective action plan to comply with the HIPAA Rules. This settlement makes 2018 a record year for total HIPAA settlement fines.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

What Does This Violation Mean?

This settlement is the latest in a number of large penalties issued by HHS for HIPAA breaches. One of the largest issues with the Cottage Health security plan was the lack of continuous assessment and monitoring. Risk assessments must be conducted on an annual basis and are only an evaluation for a single point in time. Healthcare organizations must always assess their changing infrastructure and employee structure. Policies, compliance roles, and access levels, and audit logs should be reviewed on a frequent basis. Dash continuous compliance management constantly scans your organization’s cloud environment for potential compliance issues related to administrative and technical controls.

How Can Dash Help?

Unlike many solutions which address either technical controls or administrative controls, Dash empowers users to customize and create policies then enforce those policies via continuous compliance monitoring.  For this specific violation, the Dash System Access Policy would cover specifics on access control and PHI access.  By connecting this policy to IAM settings and cloud service monitoring, Dash detects issues related to public access and access control, allowing Dash users can prevent this exact issue in a customized and proactive manner.