Lost thumb drive leads to $150K fine
An unencrypted USB drive has ended up costing one dermatology practice, which has settled with the Department of Health and Human Services for failing to address HITECH's breach notification provisions.
Adult & Pediatric Dermatology (known as APDerm), which provides dermatology services in Massachusetts and New Hampshire, agreed on a settlement of $150,000 for privacy and security violations, and will be required to put a corrective action plan in place to fix deficiencies in its HIPAA compliance program, according to a notice posted Dec. 26 on the HHS website.
It's the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act, say officicials from HHS' Office for Civil Rights.
OCR launched its investigation of APDerm after being tipped off that an unencrypted thumb drive containing the protected health information of some 2,200 people was stolen from a vehicle of one its staff members. The drive was never recovered.
The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, officials say.
Moreover, APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train workforce members.
In addition to the $150,000 resolution amount, AP Derm's settlement includes a corrective action plan requiring development of a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. The practice will also be required to provide an implementation report to OCR.
"As we say in healthcare, an ounce of prevention is worth a pound of cure," said OCR Director Leon Rodriguez, in a press statement. "That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information."
[See also: At $1.2M, photocopy breach proves costly]