Health Data Breaches Lead to $2 Million California PenaltyWill More State Enforcement Actions Follow in Other Breach Cases?
The California attorney general's office has smacked Cottage Health System, which operates five hospitals in the Santa Barbara area, with a $2 million settlement in the wake of breaches in 2013 and 2015 that exposed data on about 55,000 patients.
The settlement offers a critical reminder of the importance of implementing safeguards to protect patient data from exposure on the Internet.
"Numerous basic information security practices appear to have been neglected or violated at Cottage Health," says security and privacy expert Kate Borten of The Marblehead Group consultancy. "In these times, even the smallest providers should understand and follow reasonable practices or contract with a reliable IT security vendor. There's no excuse for these types of breaches anymore."
The hefty penalty imposed in the case also is an example of the enforcement power that state attorneys general can exercise, regardless of whether federal HIPAA enforcers take action.
Cottage Health discovered the breach on Dec. 2, 2013, after it "received a voicemail message informing it that a file containing personal health information of certain patients may be available on Google," according to a Dec. 11, 2013, letter sent by the the healthcare system's attorney to then-California Attorney General Kamala D. Harris.
In a Nov. 22 statement, current California Attorney General Xavier Becerra says one of Cottage's servers "with medical records for more than 50,000 patients was connected to the internet without encryption, password protection, firewalls or permissions that would have prevented unauthorized access."
But in 2015, during the state's investigation into the 2013 breach, Cottage Health experienced a second, separate data breach in which the records for 4,596 patients became accessible online for nearly two weeks, the statement says. "The attorney general's office alleged that Cottage's security failures violated California's Confidentiality of Medical Information Act and Unfair Competition Law, as well as the federal HIPAA [regulations]."
Under the settlement, Cottage Health, in addition to paying the penalty, is required to upgrade its data security practices. The healthcare provider is required to protect patients' medical information from unauthorized access and disclosure and to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry, according to the settlement. That includes:
- Assessing hardware and software used within Cottage's computer network for potential risks and vulnerabilities and updating security settings and access controls where appropriate;
- Evaluating the response to and protections from external threats;
- Encrypting patients' medical information in transit;
- Maintaining reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management and remediation plans;
- Conducting periodic vulnerability/penetration testing to identify, assess and remediate vulnerabilities;
- Training employees on the collection, use and storage of patients' medical information.
Cottage Health must also designate an employee to serve as chief privacy officer and to complete periodic risk assessments, the settlement specifies.
Cottage Health's Response
In a statement provided to Information Security Media Group, Cottage Health says the settlement "involves unrelated data incidents that occurred in 2013 and 2015. Once we learned of the incidents, our information security team worked to provide quick resolutions. There is no indication that data was used in any malicious way."
Cottage Health has "used this learning to strengthen our system security layers for improved detection and mitigation of vulnerabilities. Upgrades include new system monitoring, firewalls, network intrusion detection, and access management protocols to help protect private data," the statement says.
Only one Cottage Health breach is listed on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame." That December 2015 incident is listed as an unauthorized access/disclosure breach involving a network server and impacting 110,000 individuals.
OCR did not immediately respond to an ISMG request for comment on whether OCR is still investigating the Cottage Health incident. California's attorney general's office did not immediately respond to ISMG's inquiry about whether the total of 55,000 people it says were impacted by Cottage's two breaches reflect only the tally for California residents.
The hefty penalty imposed in the case demonstrates the enforcement power that is sometimes exercised by state attorneys generals even if federal regulators choose not to pursue enforcement against covered entities or business associates.
"Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorneys general enforcing their respective state laws," says healthcare attorney Elizabeth Hodge of the law firm Akerman LLP.
"We have already seen state attorneys general launch investigations of organizations in other industries that have suffered data breaches. So healthcare organizations should not be surprised if, after a breach, they face investigations at the state level for possible violations of HIPAA and various state laws. There is also the real possibility that where a breach involves patients in multiple states, the attorneys general of those states may work cooperatively to investigate the matter and file a complaint," she says.
HIPAA enforcement activity in the Trump administration may diminish, says attorney Stephen Wu of Silicon Valley Law Group.
"The Trump administration is not moving quickly to get [leadership and personnel] settled across all its agencies, and Republican administrations tend to prefer industry self-regulation," he says. "In states with Democrat attorneys general, enforcement of these kinds of cases could have an even higher priority."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "Massachusetts has been the most active in using its HITECH Act authority to enforce HIPAA. But the overall winner of the health information enforcement prize is the California Department of Public Health, which does not have authority to enforce HIPAA but has issued fines under the California Confidentiality of Medical Information Act in many dozens of cases."
The last HIPAA enforcement action by OCR was announced in May (see Big Settlement in Privacy Case Involving 2 Patients' HIV Data).
Prior to that enforcement settlement, OCR had been issuing settlements in HIPAA cases on almost a monthly basis in 2016 through early 2017. OCR officials have contended that the apparent slowdown in settlements is due mainly to the new OCR director, Roger Severino, settling in and not due to a de-emphasis on enforcing HIPAA.
"I believe that this lull is fairly typical after new administrations, and that enforcement is likely to pick back up next year," predicts Greene, a former OCR staff member. "None of the statements that I have heard or read from Severino or his background as a prosecutor suggest that he is looking to make significantly weaker OCR HIPAA enforcement.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, offers a similar assessment. "I believe that it would be a mistake to assume that OCR has lightened up on its [HIPAA] enforcement efforts because no settlements have been announced in over six months," he says. "In the nearly 15 years OCR has been enforcing the HIPAA rules, it has investigated and closed over 25,000 cases through obtaining corrective action by the covered entity or business associate. I see no evidence that the pace of or commitment to enforcement actions that are occurring behind the scenes has changed."
Other Legal Actions
The 2013 Cottage Health data breach was also the subject of a class action lawsuit that was settled in December 2014. That lawsuit also alleged lapse in protection of a Cottage Health server by one of the healthcare provider's business associates, INSYNC Computer Solutions.
In May 2015, cyber insurer Columbia Casualty, which paid more than $4 million, plus defense attorney expenses, to settle the class action suit against its client, Cottage Health, filed its own lawsuit against the healthcare provider in an attempt to claw back the payments it made to settle that case. That lawsuit, however, was dismissed in July 2015.