Stolen laptop leads to $1.5 million HIPAA fine
Several healthcare providers have recently been hit by data breaches after the theft of a laptop or other computing device. Now a similar case has led to a huge financial penalty for one hospital.
Massachusetts Eye and Ear Infirmary, a teaching hospital for Harvard Medical School, and Massachusetts Eye and Ear Associates, Inc., an associated practice, have agreed to pay $1.5 million to settle charges that the institution, collectively known as MEEI, violated HIPAA regulations when 3,600 patient records were stolen in 2010.
The theft occurred in February 2010, when a laptop containing unencrypted prescription data and other clinical information on patients and test subjects was stolen. According to the U.S. Department of Health and Human Services, MEEI negligently failed to take key steps to secure patients’ protected health information, such as:
- Thoroughly analyzing the risks of holding patient data on portable computing devices
- Taking steps to keep data on portable devices secure and make sure it could only be accessed by authorized users, and
- Properly developing a plan of action to respond effectively after a data breach.
Several data breaches have occurred recently because healthcare organizations failed to secure data on portable devices. And now, this settlement shows the severe financial repercussions of failing to keep mobile data secure. Some steps experts recommend:
- Have a policy about taking information home. As computing devices become more portable, more doctors and other employees are taking patients’ sensitive information home with them. And many healthcare data breaches have involved devices being stolen from people’s homes, cars, or other places. It’s a good idea to have rules preventing sensitive data from leaving the organization’s premises.
- If you allow the use of personal devices, have a plan to secure them. For example, organizations should require personal devices to be encrypted and have other security controls installed before they are used to access any sensitive data.
- Delete data when it’s no longer needed. For example, unnecessary extra copies made during a back-up shouldn’t be held onto for longer than is needed. The more copies of information that exist, the more chances there are for it to be stolen.
- Keep offices physically secure. As laptops become the norm for computing, it’s becoming easier for criminals to break into an office and walk out with a lot of valuable data. Healthcare organizations must invest in physical security controls and regularly audit the security of their premises.
- Hard drive theft leads to $1.5 million fine for privacy violations
- First HIPAA fine for breach of less than 500 records announced
- Alaska DHSS fined $1.7 million after data breach
- OCR: 21 million patients have had protected health information breached
- IT error leads to $31.8 million lawsuit against hospital
Below are a few free resources you may find useful.