Case Study – IT Service Company Causes $3 Million Fine for Practice

      Comments Off on Case Study – IT Service Company Causes $3 Million Fine for Practice

An IT service company can make or break a small medical practice. Computers are fully integrated into modern medicine at all levels including the small practice. Because of this, new areas for practices to be concerned about have appeared. Examples include ransomware, data backup systems, phishing attacks, hardware crashes, and hacker attacks. Having an unqualified IT service company can cause a lot of additional problems for a practice that can result in HIPAA investigations, fines, and lost revenue. In this week’s case study, we discuss a practice that ended up paying a $3 million dollar fine as a result of their IT company’s actions. Read on and learn how to protect your own practice.

What happened?

In 2013, and again in 2015, Cottage Healthcare suffered two data breaches. Cottage Healthcare is a California based healthcare provider that manages 3 healthcare facilities. The records of 62,500 patients were exposed in both of these breaches.

The 2013 incident involved a server that contained Protected Health Information (PHI) for patients. The server had not been secured and allowed access to the data without requiring a username or password. The data contained on the server had the names, addresses, birth dates, diagnosis information, and lab results within. A total of 32,755 patient records were exposed.

In 2015, a second server was discovered and also contained PHI for Cottage’s patients. This server had been misconfigured by an IT service company during a troubleshooting incident. It had been left in an unprotected state. This allowed the data to be accessed on the Internet without any authentication.

In both cases, it was Cottage’s outside IT service company that had allowed the breaches to occur. However, under HIPAA regulations, Cottage is the Covered Entity so the liability passed up to them.

What was the result?

OCR investigated both breaches and found that Cottage did not have a Business Associate Agreement with their outside IT service company nor had they performed a proper Risk Assessment. Both of these violations led to the breaches. Cottage was fined $3 million by OCR for the breaches.

You can read the OCR press release here.

In addition, the state of Calirnoina sued and eventually settled with Cottage for an additional $ 2 million.

A lawsuit by patients resulted in a total of $4.13 million being paid out by Cottage’s insurance company. However, here is where things took an unexpected turn. At first, the insurance company was very helpful and willing to pay out the settlements to patients in the resulting lawsuits. But after performing its own due diligence investigation, the insurance company found that Cottage had never performed its Risk Assessment as it stated in its insurance application form when it applied for insurance. Cottage also didn’t properly vet its IT service company to ensure that this company was adhering to proper HIPAA regulations on data protection. The insurance company filed suit against cottage for the full $4.13 million it had paid out due to insurance fraud committed by Cottage.

All of this occurred because Cottage had not properly ensured that it’s outside IT service company was following HIPAA guidelines when handling patient PHI.

How do you know your IT service company is the right one?

A good first step in evaluating IT services for your practice is if they ask to sign a Business Associate Agreement before engaging in any work. Even to do an assessment on your network would require this. A company that has been trained in HIPAA compliance knows that they have their own liability under HIPAA regulations. They would also want to protect themselves with a Business Associate Agreement.  If they don’t know this or don’t offer to sign one, keep looking for another firm.

Do they discuss performing a Risk Assessment for you? If this is a new IT service company for your practice, they would need to do that to even begin working for you. They would need to know what areas need to be addressed before they can proceed. If not, how can they know what holes need to be plugged? A Risk Assessment would give them the full picture of your practice.

Have they discussed a disaster recovery plan or an incident response plan? These are both required under HIPAA regulations and any IT company that you engage with should be capable of creating and executing them.

We have written a ten-step guide to help you choose the right IT company for your practice. You can read the full post here.


Small practices often have to outsource their IT support to third party companies. Larger practices usually have a person on staff to handle these issues for them. Because the work is outsourced and sometimes, budget constraints, small practices are very much at the mercy of these IT companies. Does the company understand HIPAA regulations and can they help the practice? Often small practices hire a small company or single person to help out with IT issues. HIPAA isn’t part of the discussion as neither are aware. This is a recipe for disaster. IT personnel must be trained and aware of their own obligations under HIPAA. Failing to do so will cause problems for the practice that can lead to breaches and fines. As we see in the case above, the outsourced company failed in their work and it became a very costly mistake for the Covered Entity.

Protect your practice and do a thorough evaluation of your current IT support company and any new ones that you may be considering.