What Happened: Cottage Health, a multi-hospital system in California, experienced multiple security breaches as the result of improper permissions and access. In the first instance, the security settings had not been configured correctly and allowed electronic PHI (ePHI), including patient names, diagnoses and lab results to be available to anyone on the Cottage Health server. In another breach, an IT troubleshooting ticket exposed ePHI to the internet. Cottage Health paid a $3 million settlement.
Takeaway for ASCs: This was a serious breach, affecting more than 62,500 individuals, all as a result of improper security permission configuration. OCR’s investigation found that Cottage Health “failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes.” It is imperative that ASCs monitor the security settings of any system that could contain patient PHI, especially, while undergoing any system changes. Even if no system changes are on the cards, it is good policy to periodically review protocols and ensure that all ePHI is safely secured.
What Happened: Touchstone, a diagnostic medical imaging service, was notified by OCR and the Federal Bureau of Investigation (FBI) that one if its servers was allowing uncontrolled access to patient PHI. Touchstone initially claimed that no PHI was exposed and failed to thoroughly investigate the incident until months after the notice. In the end, the PHI of more than 300,000 patients was exposed and Touchstone paid a $3 million settlement.
Takeaway for ASCs: This was a failure on many levels and ASCs could take a number of lessons from this incident. As with many other incidents, ASCs must have risk-analysis procedures in place that thoroughly and accurately assess vulnerabilities to confidential PHI. ASCs also must also have business associate agreements in place with any vendor, especially information technology (IT) support services and/or data centers that may have access to PHI. If a breach occurs, OCR Director Roger Servino stated in the press release announcing the enforcement action any health entity must respond “with the seriousness they are due, especially after being notified by … law enforcement agencies.”