In a rare, delayed announcement of an agreement finalized months earlier, the HHS Office for Civil Rights (OCR) reported in February that it had, indeed, experienced a truly record-breaking 2018 beyond banking the largest single payment—$16 million from Anthem Inc.

“OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement,” the agency exclaimed on Feb. 7. “In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million,” an amount that the agency pointed out was 22% higher than the previous record of $23.5 million set in 2016.

What put OCR over the top was a $3 million agreement with Cottage Health of Santa Barbara, California, a small, nonprofit system anchored by 128-year-old Santa Barbara Hospital, triggered by a total of two breaches that occurred in 2013 and 2015. Cottage Health will also implement a three-year corrective action plan (CAP).

Perhaps most notably, in 2017 Cottage Health paid the state of California $2 million to settle allegations of HIPAA and state law violations related to the same two breaches (“System to Pay Calif. $2 Million, ‘Upgrade’ Data Security,” RPP 17, no. 12).

The new settlement with OCR means breaches collectively affecting the electronic protected health information (ePHI) of 62,000 individuals cost Cottage Health $5 million in payment to government agencies alone. Cottage Health previously paid $2.05 million to settle a class action lawsuit related to the 2015 breach.