Cottage Health Hit With $3 Million HIPAA SettlementLatest in a Series of Substantial HHS Penalties for Violations
The U.S. Department of Health and Human Services has hit a California-based healthcare provider with a $3 million HIPAA settlement related to two breaches involving misconfigured IT. It's the latest in a recent series of hefty penalties issued in HIPAA cases.
On Thursday, HHS' Office for Civil Rights said Cottage Health, which operates several hospitals, agreed to pay the fine and implement a corrective action plan in the wake of an investigation into the breaches that affected a total of 62,500 individuals. Earlier, the California attorney general had reached a $2 million settlement with Cottage Health.
"The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during and after implementation covered entity makes system changes," said OCR Director Roger Severino.
Other covered entities and business associates should learn from this latest OCR enforcement action, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"Information systems are continuously updated, patched or upgraded. It is critical that there are change management policies and procedures in place when enacting changes in the information system or its environment," he says.
The first of the two Cottage Health breaches, which occurred in 2013 and affected more than 50,000 patients, arose when electronic protected health information on a server was accessible from the internet.
"OCR's investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password," OCR states. "As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health's server."
The second breach in 2015, which impacted more than 5,000 individuals, occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions and other treatment information, the agency notes.
OCR says its investigation revealed that Cottage Health failed to:
- Conduct an accurate and thorough risk assessment;
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
- Perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI;
- Obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.
The resolution agreement between Cottage Health and OCR calls for the healthcare provider to take a number of corrective actions, including:
- Conduct an enterprisewide risk analysis;
- Develop and implement an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
- Implement a process for evaluating environmental and operational changes that affect the security of the entity's ePHI;
- Maintain and revise as necessary - and distribute to its workforce - written policies and procedures to comply with federal privacy and security standards;
- Augment its HIPAA and security training program for all workforce members who have access to PHI.
In a statement provided to Information Security Media Group, Cottage Health says: "This settlement involves data incidents that occurred in 2013 and 2015. Since that time, Cottage Health has completed a third-party audit of data systems and implemented additional measures to secure private information. We are committed to ongoing advances in data security."
In 2018, OCR signed settlements in 10 HIPAA cases, and in another case, it was granted summary judgment before an HHS administrative law judge. The 11 cases had a combined $28.7 million in penalties, although Cottage Health paid its penalty in 2019.
"I want them to do effective and smart enforcement. Having a 'bigger' number doesn't mean they are doing a better job."
—Kirk Nahra, Wiley Rein
OCR notes in that the total amount levied in 2018 enforcement actions surpassed its previous record of $23.5 million in 2016. That year, OCR issued 13 settlements, plus one civil monetary penalty case.
"Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action," Severino said.
In 2018, OCR signed its largest individual HIPAA settlement so far - a $16 million resolution agreement and corrective action plan with Anthem Inc. over a cyberattack detected in 2015 that impacted nearly 79 million individuals.
That settlement was three times as large as the the agency's previous record settlement of $5.5 million in 2016 with Memorial Healthcare System in a breach case involving tax fraud.
OCR's Severino is slated to present a HIPAA enforcement and compliance update on Tuesday, Feb. 12, at the HIMSS19 conference in Orlando, Florida.
Some experts question if OCR should "count" the settlement with Cottage Health in its 2018 enforcement action tally because the penalty for the settlement signed in 2018 was paid in 2019.
"If you look at OCR's resolution agreements over the past few years, by their own terms they are effective when payment is received from the HIPAA covered entity or business associate," Holtzman notes. "It is unusual that in this case, the health system was allowed seven weeks from the signing of the agreement to pay the penalty amount."
Although OCR signed the resolution agreement with Cottage Health in December, the resolution agreement indicated that the entity had until Jan. 30, 2019, to pay up. Typically, OCR doesn't announce or "count" a HIPAA enforcement action until funds are collected, he notes.
There have been a handful of other exceptions, but mostly in enforcement actions involving administrative law judgements or civil monetary penalties levied against entities.
For instance, OCR in June 2018 announced that an HHS administrative law judge ruled in favor of OCR in a HIPAA investigation case involving three breaches, requiring that the University of Texas MD Anderson Cancer Center pay $4.3 million in civil money penalties for HIPAA violations. But that money has not yet been collected by HHS because the ruling is being appealed by MD Anderson.
Also in 2011, OCR issued a $4.3 civil monetary penalty against Cignet Health for violations of the HIPAA Privacy Rule involving the Prince George's County, Maryland-based clinic's failure to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators. OCR officials say Cignet filed for bankruptcy and did not end up paying the penalty.
Some security experts suggest that OCR should steer clear of attempting to set "records."
"It's purely an agency promotional issue. It says very little about whether enforcement is appropriate, strong, weak or anything else," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
The $16 million settlement signed in 2018 with Anthem "obviously distorts against any measurement," he adds. "I want them to do effective and smart enforcement. Having a "bigger" number doesn't mean they are doing a better job. It could mean - and I am not saying that is the case here - that they are actually doing less thoughtful enforcement."
As for predictions about OCR's enforcement activities in 2019, Nahra says: "I would expect enforcement activity to continue to move along at its regular pace. Whether they hit some dollar amount is somewhat independent of that - it just goes to how quickly cases resolve and how much money they can get in specific instances."
HIPAA covered entities and business associates "sit-up and take notice" when OCR engages in high-profile enforcement actions, Holtzman notes.
"While some in the healthcare industry bemoan that the HIPAA rules are a burdensome government mandate, patients and their families want to be able to sleep safe at night knowing there is accountability for failing to have basic information security safeguards for their health information."