CardioNet slammed with $2.5 million fine for failed risk management and analysis
Pennsylvania-based wireless health services provider CardioNet has settled with the Department of Health and Human Services for $2.5 million stemming from a 2012 HIPAA violation, the agency announced Monday. The settlement marks the first for a wireless health provider.
CardioNet reported to HHS’ Office of Civil Rights in January 2012 that an employee’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained data of 1,391 patients.
The following investigation found CardioNet had insufficient risk analysis and management processes, and its HIPAA Security Rule policies and procedures were in draft form and not implemented. Further, the provider was unable to show final policies and procedures for implementing safeguards for ePHI -- including those found on mobile devices.
The size of the settlement demonstrates OCR’s stance on the need for organizations to implement strong, HIPAA-compliant security policies. As part of the settlement, CardioNet will also implement a corrective action plan.
“Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.”
“This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected,” he said.