The U.S. Department of Health and Human Services Office for Civil Rights (OCR) ended 2018 with a bang by announcing a total $28.7 million collected in enforcement actions and settlements with healthcare providers under the Health Insurance Portability and Accountability Act (HIPAA). The most recent settlement announced at the beginning of February (but negotiated in December 2018) was with Cottage Health, which operates four hospitals in California. This settlement came on the heels of eight other settlements and one judgment in 2018, resulting in overall collections of almost $29 million for OCR.
Cottage Health’s $3 million settlement with OCR resulted from two data breaches in December 2013 and December 2015. The first breach of electronic protected health information (ePHI) resulted from a misconfiguration in Cottage Health’s operating system’s security settings. The error allowed access to ePHI, including patient names, addresses, dates of birth, Social Security numbers, and treatment information, contained on Cottage Health’s server from the internet without requiring necessary log-in credentials.
Then another system misconfiguration occurred in 2015, when Cottage Health’s IT department attempted to fix a reported technological issue. The “fix” resulted in internet users being able to access to ePHI without a username or password. OCR investigated the breaches and determined that Cottage Health had failed to conduct accurate and thorough assessments of risks to confidentiality of ePHI and had failed to implement appropriate security measures or to perform necessary assessments of the security of ePHI. Additionally, Cottage Health failed to enter into a written business associate agreement with a contractor maintaining ePHI on its behalf. Along with the financial penalty, Cottage Health entered into a three-year corrective action plan requiring system-wide risk analyses to assess all risks and for the company to develop a risk management plan.
Prior to the Cottage Health settlement, OCR entered into several settlement agreements in 2018 with big-names in the healthcare industry, including Anthem, Inc. (Anthem), Brigham and Women’s Hospital, and University of Texas MD Anderson Cancer Center (MD Anderson). The largest HIPAA related settlement in history was reported in October 2018 with Anthem. The $16 million deal was reached with Anthem as a result of a data breach involving almost 79 million patients. The breach was caused by hackers who stole personal information of patients, including names, dates of birth, Social Security numbers, and addresses. The Anthem settlement itself was three times OCR’s prior record settlement of $5.5 million with Advocate Health in 2016.
Interestingly, in June 2018, an administrative law judge awarded OCR $4.3 million in a suit against MD Anderson. This was only the second time that OCR has won a summary judgment motion in a HIPAA enforcement action. The judgment resulted from three breaches of ePHI in 2012 and 2013 related to unencrypted electronic devices. OCR levied fines, which were upheld by the administrative law judge, against MD Anderson for each day it was not HIPAA-compliant and for each individual record breached as a result of the lack of encryption.
Then in September 2018, OCR settled with Brigham and Women’s Hospital, along with Boston Medical Center and Massachusetts General Hpspital for almost $1 million as a result of HIPAA breaches occurring during the filming of a television documentary for a major television network. According to the settlement documents, the hospitals inappropriately disclosed protected health information of their patients by allowing media crews onsite to film a documentary series without obtaining authorizations from the patients.
As the number of settlements and the amounts of those settlements continue to increase year over year, it is vital that both covered entities and business associates ensure that their practices are HIPAA-compliant. Large companies are a high-value target for hackers and OCR, but 2018 has demonstrated that OCR does not discriminate: two of the settlements in 2018 were with small companies for $100,000 each. Cottage Health’s breach specifically highlights the need to ensure that changes and updates to technology are thoroughly vetted and monitored. OCR Director Roger Severino said it best:
“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action.”