skip to main content

February 17, 2019

By: Stacy Walton Long and

The Health and Human Services Office of Civil Rights (“OCR”) recently entered into its final Resolution Agreement of 2018 to resolve HIPAA allegations involving Cottage Health, a California health system that serves patients throughout the state. Cottage Health provided notice of breaches of unsecured electronic protected health information (“ePHI”) to OCR on December 2, 2013 and December 1, 2015.1 These breaches first revealed a total of 44,957 affected individuals; the number later increased to 62,525.2 OCR’s investigation revealed that the first breach occurred as a result of the removal of security protections from a Cottage Health server. The investigation further revealed a Cottage Health employee activated the wrong website on a SQL server. Collectively, the breaches resulted in the improper disclosure of patient names, addresses, dates of birth, diagnoses, conditions, lab results, and social security numbers.3 

OCR alleged, as it frequently does with respect to such breaches, that Cottage Health failed to conduct an “accurate and thorough analysis of the potential risks and vulnerabilities to the ePHI held by Cottage Health.”4 The allegations also included failure to implement sufficient security measures, and failure to obtain a business associate agreement with a Cottage Health contractor responsible for the protection of Cottage Health’s ePHI.5

The terms of the Resolution Agreement required Cottage Health to pay $3,000,000 to OCR and enter into a three year Corrective Action Plan. The Corrective Action Plan requires Cottage Health to, among other things, conduct an accurate and thorough risk assessment of its ePHI; develop and implement a risk management plan to address security risks; and develop, maintain, and revise its policies and procedures to comply with the federal regulations that govern the privacy and security of protected health information.6 To see the complete Resolution Agreement and the Corrective Action Plan attached thereto, please click here.

Health care providers and other covered entities should be aware that in 2018, OCR settled a total of ten cases - its highest number in a single year with total settlements of $24.7 million. The Resolution Agreement with Cottage Health, along with all of OCR’s settlements, shed light on the importance of protecting ePHI, and complying with all laws and regulations related to privacy and data security. A summary of OCR’s 2018 HIPAA settlements is available here.

If you have questions regarding HIPAA compliance policies or issues, business associate agreements, or other HIPAA-related questions, please contact Stacy Walton Long at, Alexandria M. Foster at, or any other Krieg DeVault attorney in the Health Care Practice Group.

  2 Id.
  3 Id.
  4 Id.
  5 Id.
  6 Id.