OCR Settlements Reach $5.4 million for Theft of Laptops in Two Organizations

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced two resolution agreements in March over potential violations of the HIPAA Privacy Rule, reaching high figures for penalty fines. North Memorial Health Care agreed to a $1.55 million settlement, while Feinstein Institute for Medical Research agreed to pay a $3.9 million settlement. Both breaches were tied back to the theft of a laptop.

Between June 2013 and July 2014, HIPAA received more than $10 million in HIPAA violation fines; these two fines alone total $5.4 million for 2016. In the past two years, it has been expected that HIPAA would be issuing both more and larger penalties. Due to a change in leadership at the OCR in 2015 slowing down the process, it was predicted that 2016 would see a large number of financial settlements come through.

The $1.55 million settlement with North Memorial Health stems from a data breach associated with the theft of an unencrypted, password-protected laptop in 2011. The laptop, left in a vehicle of an employee of its contractor (Accretive Health), contained the PHI of 9,947 individuals. The resolution agreement requires the settlement amount to HHS, a comprehensive corrective plan focused on risk analysis and training, and a plan that would develop policies and procedures related to business associate relationships. In this case, it was a major point of contention that North Memorial lacked a Business Associate Agreement (BAA) with Accretive prior to handing off PHI to them.

The $3.9 million settlement with Feinstein Institute is among the first settlements levied against a research institute.  The large settlement stems from the theft of an unencrypted, password-protected laptop from an employee car in 2012. Investigation revealed many gaps in both the understanding of risks to the data as well as technologies, policies and procedures to protect the data. The laptop contained the detailed PHI of 13,000 research participants. In its resolution agreement, Feinstein is required to conduct a risk analysis yearly, with documentation of the security measures implemented to reduce the vulnerabilities to ePHI. Employees at Feinstein must also sign the organization’s HIPAA policies and procedures before allowed access to the ePHI, with an ongoing focus on training.

In each of these settlements, the message is clear that healthcare organizations of all kinds are being held to a high standard in data security, including the data security of its contractors. Understanding risks and implementing solutions that can automatically monitor for endpoint risks, and remotely take action if a security incident occurs, are key to managing the mobility risks in healthcare today. The healthcare workforce is more mobile than it was when these organizations experienced these breaches. At Absolute, we want to help you prepare for the risks of today – and tomorrow.

Absolute Data & Device Security (DDS) for Healthcare, helps you identify potential security threats and respond rapidly before they become damaging security incidents. Tailored specifically for healthcare organizations, Absolute DDS provides a full complement of features and remote capabilities so that you can control and secure healthcare data and devices, maintain the trust of your patients and stakeholders, and protect your organization from financial penalties. Learn more about our healthcare solutions here.

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.