$3 Million Settlement for Two Separate HIPAA Breaches Affecting Over 62,500 Individuals

$3 Million Settlement for Two Separate HIPAA Breaches Affecting Over 62,500 Individuals
Thursday, February 14, 2019

Cottage Health and the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS-OCR) recently entered into a $3 million no-fault settlement and three-year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This was HHS-OCR’s last HIPAA related settlement of 2018 – a record year in HIPAA enforcement activity, as detailed in this DBR on Data blog post.

HHS-OCR received notifications from Cottage Health on December 2, 2013, and December 1, 2015, regarding breaches of unsecured electronic protected health information (ePHI) affecting approximately 50,917 individuals and 11,608 individuals, respectively. According to the resolution agreement, the December 2013 breach resulted from a contractor removing the electronic security protections from one of Cottage Health’s servers, which made ePHI fully internet accessible and available for download without a username and password.  The December 2015 breach arose from an employee activating the wrong website on a database management system server in response to an IT troubleshooting ticket, which also resulted in ePHI becoming fully accessible on the internet.

HHS-OCR alleged that Cottage Health failed to do the following:

  • Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to its ePHI as required by HIPAA.

  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA.

  • Perform a technical evaluation in response to its contractor installing software.

  • Obtain satisfactory assurances in the form of a business associate agreement that the contractor would appropriately safeguard ePHI that the contractor maintained on behalf of Cottage Health.

In addition to the significant settlement figure, Cottage Health will undergo a robust corrective action plan, which includes an enterprise-wide risk analysis, implementing a risk management plan, evaluating environmental and operational changes, and developing and distributing policies and procedures that address HIPAA Privacy and Security Rules.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC