In this case, more than 55,000 patients were impacted between 2013 and 2015.
Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.
As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.
Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:
• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.
This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:
“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”