HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cottage Health System BA Responsible for 32,500-Patient HIPAA Breach

A HIPAA breach which resulted in the Protected Health Information of 32,500 patients of the Cottage Health System being exposed has been attributed to an error made by one of the healthcare provider’s Business Associates (BA).

A third party vendor, Insync, is alleged to have inadvertently removed some electronic security protections which resulted in the health data and personal information of Cottage Health patients being accessible via the search engines. The file containing PHI was accessible via Goggle for a period of 14 months.

The server was made secure on Dec 2, 2013 as soon as the security breach was discovered, and a request was sent to Google to de-index the file. An investigation revealed the security protection was removed by Insync on Oct 8, 2012.

The HIPAA breach was identified by Cottage Health after it received a voicemail message “informing it that a file containing personal health information of certain patients may be available on Google,” according to a letter sent by the healthcare provider’s attorney to California Attorney General, Kamala D. Harris.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach affected patients of the Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital and Goleta Valley Cottage Hospital and all had received treatment between Sept 29, 2009 and Dec 2, 2013. Cottage Health sent a breach notification letter to all affected individuals informing them that their names, addresses and dates of birth were included in the file along with clinical information such as laboratory test results, diagnoses, medical procedures performed, medical record numbers and account numbers. No financial information or Social Security numbers were exposed in the HIPAA breach.

Even though the information was accessible via Google for 14 months, the risk of identity theft is considered to be low. According to a breach notification notice posted on the Cottage Health website, all affected individuals are being offered identity restoration services “to assist the impacted population in the unlikely event that any exposed information may be misused.”

Cottage Health will be reviewing its cybersecurity policies and procedures and will be conducting a full audit of its security protocols. It will also be reviewing all of its business agreements with third party vendors. Security checks will also be conducted more frequently and it will enhance its change notification system.

The introduction of the HIPAA Omnibus Final Rule last year means that Business Associates can be held accountable for HIPAA breaches; although in this case it is not clear whether the OCR would hold Insync liable for the breach as it occurred prior to the introduction of the Omnibus Rule.

The OCR could potentially fine Insync if it investigates and finds non-compliance issues and action could also be taken against Insync if it is found to have violated HIPAA by unnecessarily delaying the issuing of breach notification letters. However, if Insync was acting as an agent of Cottage Health, then the healthcare provider would be liable to pay any fine issued by the OCR.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.