OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server.

The second incident, which also reportedly exposed unsecured ePHI over the Internet, occurred after a server was misconfigured in response to an IT troubleshooting ticket.

Multiple Failures

During its investigation, among other things, OCR determined that Cottage Health failed to (1) perform periodic evaluations in response to operational changes affecting the security of ePHI and (2) obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

“The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during and after implementation covered entity makes system changes,” said OCR Director Roger Severino.

Resolution Agreement

In addition to the $3M settlement , Cottage Health has agreed to enter into a three-year Corrective Action Plan, which includes completion of an organizational-wide risk analysis, the development and implementation of organization-wide policies and procedures and the training of staff members on the newly implemented policies and procedures.

OCR’s Record Year

This last settlement in December makes 2018 a record-setting year for the OCR—with the largest amount of settlements in its history (11) – totaling $28,683,400. The previous record was $23.5 million in 2016.

OCR’s HIPAA enforcement actions were roughly in line with previous years except for a $16 million settlement with Aetna, the single largest ever by the office.


Organizations, particularly healthcare organizations, must perform risk assessments of its sensitive information and implement the necessary safeguards to protect that information. Regularly performing risk assessment is a critical step in protecting an organization’s sensitive information, particularly when new business systems and procedures are put into place.


Print Friendly, PDF & Email