Monday, February 11, 2019

Cottage Health Settles with OCR for $3 Million Penalty Over 2 Data Breaches

A Health Care group called Cottage Health has agreed to a settlement with the federal government over 2 separate data breaches.  Interestingly the $3 million fine is due to TWO separate data breaches.  One occurred in 2013 and the other in 2015.  Combined, these 2 breaches exposed the PHI (Protected Health Information) of 62,500 patients.
The first incident was, unfortunately, almost comical.  A server was misconfigured during security setup  which gave access to anyone without the use of a username or password.  The exposed data consisted of names, addresses, dates of birth, diagnoses, lab results, and other treatment information of more than 32,000 patients.  Yikes!
The second occurred when a server needed service and the IT personnel misconfigured the unit during the incident repair.  The resulting security hole left patient names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, and other treatment details exposed over the Internet.
In addition to these problems Cottage Health also failed to obtain a BAA (Business Associate Agreement) with a contractor that maintained PHI for the company.
For those of you who are unfamiliar with the term BAA or are just a little fuzzy on the whole concept, here is some info on Business Associates directly from the Department of Health and Human Services (HHS):
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.  
The OCR then began an investigation into the “why’s and how’s” of these breaches.
Compounding the IT mistakes listed above was what the Office of Civil Rights referred to as failing to implement security measures "sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."
This lead the OCR to also require Cottage Health to abide by a corrective action plan.
I’m posting this info to help colleagues understand the importance of data security and to be proactive in protecting PHI.  I’ll end this post with a quote from the Director of OCR.
“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” OCR Director Roger Severino, said in a statement. “Information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.” 

1 comment: