Back to HIPAA Violation

Cottage health

Cottage Health to pay USD 3 million for HIPAA violation.

California-based Cottage Health has agreed to pay USD 3 million to the The Department of Health and Human Services’ Office for Civil Rights (OCR) to settle a HIPAA violation during two security breaches in 2013 and 2015. The health provider, which operates four hospitals in California, unintentionally disclosed electronic information of 62,500 patients, including names, addresses, dates of birth, medical record numbers, account numbers, diagnoses, lab results, and procedures performed.

What happened?

In 2013, Cottage Health identified that a server containing patients’ electronic protected health information (ePHI) had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without a username or password. Another similar server misconfiguration was discovered in 2015. After responding to a ticket, the IT team removed protection on a server, which again exposed patients’ ePHI on the internet.

Cottage Health is offering free identity restoration services in case the information of the affected patients is misused. It's also adopting a three-year Corrective Action Plan (CAP) which requires them to conduct a comprehensive, organization-wide risk analysis, and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. It's also reviewing service relationships with third-party vendors and plans to provide training to all staff on HIPAA Privacy and Security Rules.

Don't want to make the news for the wrong reasons? Download ManageEngine Log360, the tool that can help combat internal and external security attacks.

How can ManageEngine help?

HIPAA mandates the standards companies need to follow to protect and maintain the confidentiality of personally identifiable health care information. ManageEngine Log360, a comprehensive log management solution, helps IT security admins meet HIPAA requirements by monitoring and auditing access to critical data. This solution identifies and tracks suspicious insider activity as well.

Log360 provides out-of-the-box reports with exhaustive information on data access, user activity, user logon and logoff activity, and more. With these reports, you can draw meaningful insights on accesses, modifications, and permissions of critical files to help mitigate insider threats. This solution also generates real-time email or SMS alerts that help instantly mitigate any compliance violations. Using Log360, you can:

  • Monitor all modifications to protected health information (PHI) across file servers to detect and resolve any violations.
  • Audit and report all data accesses to PHI to ensure that no unauthorized changes are taking place.
  • Track and monitor all changes to access rights and file server permissions to identify anomalies.
  • Utilize customizable, built-in capabilities for alerts to regularly audit file and folder-related activities.
  • Get detailed information on user logon and logoff activity such as the username, date and time, reason for the logon failure, and more.
  • Detect and respond to mass file accesses with customizable, automated responses.
  • Identify local system processes such as system startups, shutdowns, or changes to the system time or audit logs using preconfigured reports.
  • Securely archive audit log data so that at any point in time, the audit log data can be loaded back to the database, and forensic analysis can be conducted to identify the root cause of unauthorized attempts, if any.

Download a free trial version of Log360 to test these features out yourself.


Stay In The Know

Thank you

You will receive weekly cybersecurity news soon!

  • Please enter a business email id
    By clicking 'I'm Interested', you agree to processing of personal data according to the Privacy Policy.

2022 Zoho Corporation Pvt. Ltd. All rights reserved.