$750K HIPAA fine for Indianapolis practice

Cancer Care Group, a radiation oncology practice in Indianapolis, faces a $750,000 HIPAA settlement from the Department of Health and Human Services for failing to encrypt devices and laptops containing patient data. The practice agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago.

In August 2012, Cancer Care reported a HIPAA security breach to the the Office for Civil Rights when an unencrypted server backup media and laptop was stolen from an employee's car. The device contained the protected health information, Social Security numbers and insurance data for about 55,000 patients.

The Office for Civil Rights' investigation discovered that even before the breach Cancer Care was in "widespread non-compliance with the HIPAA Security Rule," the Department of Health and Human Services said. .

Cancer Care failed to conduct an enterprise-wide risk analysis when the laptop and device were stolen, and had no written policy in place addressing or controlling the removal of electronic media from its locations. The practice also hadn't addressed these deficiencies since 2005--the year the security rule compliance date went into effect. 

"Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," said OCR Director Jocelyn Samuels, in a statement. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."

The settlement includes a corrective action plan for Cancer Care that requires conducting a risk analysis to be submitted for review by HHS. The practice also will need to develop and put in place an enterprise-wide risk management plan that addresses security risks, data systems and portable electronic devices. It also must update its policies and employee training program. HHS will review all of the measures.