The Department of Health and Human Services Office for Civil Rights (OCR) entered into a $3 million settlement with Cottage Health relating to a breach of PHI of more than 60,000 people. Cottage health operates several hospitals in California.
One breach resulted from the misconfiguration of a server, exposing unsecured PHI over the Internet. The breach release patient name, address, date of birth, Social Security number, diagnosis and treatment information. The other breach resulted from a contractor’s removal of security configuration settings on the Windows operating system of a server which allowed access to personal files without a username and password.
Cottage health must undertake a corrective action plan in addition to paying the settlement amount. A copy of the resolution agreement may be accessed by clicking here.