Failure to Alter Default Settings on Internet Server Leads to $2.1 Million HIPAA Settlement

​A nonprofit California health system has agreed to pay $2,140,500 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, announced the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) on October 18, 2016. The health system reported to OCR in February 2012 that certain files in its meaningful use program, which contained electronic protected health information (ePHI), had been publicly accessible via Google, and possibly other internet search engines, during the previous year. The health system stored the files on a server that included a file-sharing application whose default setting was never altered from one that allowed access to anyone with an internet connection, OCR said.