Unencrypted laptop costs healthcare system $1M+ in fines
The largest health system in the smallest state has agreed to pay $1,040,000 to HHS’s Office for Civil Rights (OCR).
The settlement requires five-hospital Lifespan Health Services to pay the amount and take corrective actions for failing to meet HIPAA rules on data encryption.
The potential for a significant breach was discovered after the health system reported an employee’s laptop had been stolen.
With the filched portable computer in unknown hands, more than 20,000 patients are at risk of theft involving their unencrypted names, medical record numbers, demographic information and medication lists, according to a July 27 announcement from HHS.
In the announcement, OCR director Roger Severino points out that laptops, smartphones and tablet computers go missing every day.
“[T]hat’s the hard reality,” he adds. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”
Lifespan’s member hospitals include 719-bed Rhode Island Hospital in Providence and its adjacent pediatric facility, Hasbro Children’s Hospital.
According to coverage by GovInfoSecurity, the Lifespan settlement is OCR’s third such deal this year and by far the largest. At the same time, the office is behind the pace it set last year, when it announced 13 HIPAA enforcement actions totaling about $15.3 million. Among these was a $3 million settlement with the University of Rochester Medical Center in upstate New York.