A healthcare provider in Rhode Island has agreed to pay a fine of more than $1 million for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) after an employee’s laptop computer was stolen and the protected health information (PHI) of more than 20,000 individuals was compromised.
The problem for the provider — Lifespan Health System Affiliated Covered Entity (Lifespan ACE) — was that the information on the laptop was not encrypted, per HIPAA requirements, and the patients’ names, medical record numbers, demographic information, and medication information was stolen as part of the data breach.
The fine was assessed by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). The laptop was stolen from a hospital employee’s car while it was parked in a private lot. The company analyzed the employee’s work emails and uncovered that there may have been a cached file on the device’s hard drive containing the PHI.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality,” said Roger Severino, OCR’s Director, in a statement. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”
During the investigation, the HHS found that the provider did not have policies and procedures to ensure all information was encrypted, did not track devices which contained PHI, and did not have proper agreements in place.
Along with paying the fine of $1,040,000, Lifespan has agreed to a corrective action plan that includes two years of monitoring. Lifespan will also have to show it has properly encrypted all of the devices on its network and how it is controlling access to its network.