Stolen laptops mean $2M in mega fines

Will a drumbeat of costly settlements get the message through?
By Mike Miliard
10:27 AM
Laptop with padlock

Serving notice that "covered entities and business associates must understand that mobile device security is their obligation," the HHS Office for Civil Rights has settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.

[See also: Why does healthcare resist encryption? ]

That's a big number. And that's because it's meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy.

"Our message to these organizations is simple: Encryption is your best defense against these incidents," she said.

[See also: OCR: 'Pay attention to details']

The biggest of the two settlements was levied against Concentra Health Services, after OCR opened an investigation following a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.

The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.

Steps were taken to begin encryption, but Concentra’s efforts were "incomplete and inconsistent over time," according to an HHS press release, leaving patient PHI vulnerable throughout the organization.

In addition, OCR’s investigation found that Concentra had put in place sufficient security management processes to protect that information. As such, Concentra has agreed to pay $1,725,220 to settle potential violations and will "adopt a corrective action plan to evidence their remediation of these findings," according to HHS.

Meanwhile, OCR received a breach notice in February 2012 from Arkansas-based QCA Health Plan, reporting that an unencrypted laptop with the PHI of 148 individuals was stolen from an employee's car.

QCA encrypted its devices following discovery of the breach, but OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rule, beginning from the compliance date of the security rule in April 2005 and ending in June 2012.

To make amends, QCA has agreed to a $250,000 settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. It is also required to retrain its workforce and document its ongoing compliance efforts.

Speaking earlier this year at HIMSS14, McAndrew made it clear that "compliance and enforcement is really where the action is going to be," in 2014.

After recounting whopping OCR settlements from the past year, such as WellPoint's $1.7 million fine for leaving PHI viewable online, and Affinity Health Plan's $1.2 million fine for failing to properly dispose of a photocopier, she said she expected more big settlement numbers would be in the offing.

But McAndrew had little sympathy for HIPAA transgressors. "This is just common IT stuff," she said, adding that stiff penalties could be avoided by simply "(paying) attention to details."

To help other health organizations avoid these fines, OCR has set up six educational programs for providers on compliance with various aspects of the HIPAA Privacy and Security Rule. Each is available with free continuing medical education credits for physicians and continuing education credits for healthcare professionals. Learn more here.