◆ Cottage Health in California has agreed to pay $3 million to settle potential HIPAA violations, the HHS Office for Civil Rights (OCR) said Feb. 7. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. The settlement was finalized in December 2018 and stemmed from breaches reported by Cottage Health in December 2013 and December 2015. In the first breach, OCR said a Cottage Health server was accessible from the internet. “OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI [electronic protected health information] without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server,” OCR said. In the second breach, a server was “misconfigured,” exposing ePHI over the internet, such as patient names, addresses, dates of birth, Social Security numbers, diagnoses and conditions. When OCR investigated, it alleged that Cottage Health “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level,” among other things. Visit http://bit.ly/2UPohd2.