The Feinstein Institute for Medical Research, affiliated with Northwell Health, will pay a $3.9 million fine for HIPAA violations.

Northwell previously was called North Shore Long Island Jewish Health System.

The fine is the result of the 2012 theft of an unencrypted laptop from an employee’s car. The laptop contained a range of demographic and medical information, as well as Social Security numbers, affecting about 13,000 patients and research participants.

An investigation found limited security management at Feinstein Institute with the organization lacking policies and procedures authorizing workforce access to electronic protected health information (PHI), governing receipt and removal of laptops holding PHI, and failing to implement safeguards for electronic equipment procured outside of the standard acquisition process, according to the Office of Civil Rights.

The organization also not only failed to encrypt the laptop, but did not document “why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI,” according to the resolution agreement. While HIPAA does not expressly require encryption, it does require documented justification for not adopting the practice.

“This [Feinstein] case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research,” an OCR statement said.

The resolution agreement and corrective action plan for Feinstein Institute is available here.