July 20, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

Cottage Health Settles with OCR for $3M

We previously reported that Cottage Health, a health care entity operating several hospitals in California, settled with the State of California for $2 million for a security incident that occurred in 2013. On February 7, 2019, the Office for Civil Rights (OCR) issued a press release that it settled HIPAA violations in December, 2018 with Cottage Health, including two security incidents—one in 2013 and one in 2015.

The security incident in 2013 occurred when the protected health information of patients was accessible over the internet when a server was not secured, compromising the names, addresses, dates of birth, diagnoses, lab tests and treatment information of the patients. The security incident in 2015 occurred when IT personnel were troubleshooting, and protection on a server was removed during the troubleshooting, which allowed patients’ information, including names, addresses, dates of birth, Social Security numbers, diagnoses and treatment information to be accessible on the internet without a username and password.

The OCR further alleged that Cottage Health failed to enter into a business associate agreement with a contractor to which it forwarded protected health information.

In addition to the settlement amount of $3 million, Cottage Health has agreed to enter into a three year Corrective Action Plan, which includes completion of an organizational-wide risk analysis, the development and implementation of organization-wide policies and procedures and the training of staff members on the newly implemented policies and procedures.

This last settlement in December makes 2018 a banner year for the OCR—with the largest amount of settlements in its history—eleven–totaling $28,683,400.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...