October 19, 2021

Volume XI, Number 292

Advertisement
Advertisement

October 18, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Laptop Security Breach Leads to $850,000 HIPAA Settlement Payout

On November 19, 2015, Lahey Hospital and Medical Center (“Lahey”) entered into an $850,000 settlement with the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 or “HIPAA”. As part of the settlement, Lahey must adopt a robust corrective action plan, which became operational on November 19, 2015, and will last for two years.

The settlement reinforces the importance of conducting HIPAA risk assessments with respect to the individually identifiable information in electronic form that is protected by HIPAA, referred to as “electronic protected health information” or “ePHI.”  The settlement also underscores that covered entities must timely identify and respond to security incidents, and promptly mitigate any harmful effects. In addition, the settlement highlights the critical nature of physical workstation security, in particular where health care delivery involves the use of portable devices that store ePHI, and the value of employing technical solutions that encrypt data at rest that is stored on portable devices.

Lahey, a nonprofit teaching hospital in Burlington, Massachusetts, first reported a laptop theft to HHS on October 11, 2011. The laptop was used in connection with a computerized tomography (“CT”) scanner and was taken from an unlocked treatment room off the inner corridor of Lahey’s Radiology Department. The laptop contained the unsecured ePHI of 599 individuals.

In November 2011, OCR notified Lahey of OCR’s investigation regarding compliance with HIPAA. OCR regularly investigates security breaches, but not all result in financial payouts. Here, however, OCR alleged serious deficiencies in Lahey’s HIPAA compliance program, specifically:

  1. Failure to conduct a thorough risk analysis of all its ePHI;

  2. Failure to physically safeguard a workstation that assessed ePHI;

  3. Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnosis/laboratory equipment;

  4. Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue;

  5. Failure to implement procedures that recorded and examined activity in the workstation at issue; and

  6. Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement payment, Lahey entered into and agreed to comply with a two-year corrective action plan (“CAP”). Under the CAP, Lahey must conduct a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities regarding its ePHI, and the resulting risk management plan must be approved by HHS.  Lahey must also adopt written HIPAA policies and procedures that must also be approved by HHS. The CAP further requires Lahey to provide specific training to all workforce members who have access to and use ePHI, and to report to HHS if it determines that any members of its workforce have failed to comply with Lahey’s HIPAA policies and procedures during the two-year term of the CAP.

This settlement is just one of the most recent OCR HIPAA settlements this year. For example,  on August 31, 2015, Indiana-based Cancer Care Group, P.C. agreed to a $750,000 settlement with OCR following the theft of a laptop bag containing a laptop computer and unencrypted backup media from an employee’s car.

The Lahey settlement payment and CAP demonstrates the importance of implementing and maintaining robust operations to reduce the risk of disclosing ePHI.  It underscores the value of taking a close look at physical security for workstations, and using appropriate technical solutions to encrypt data at rest on portable devices.

© 2021 Proskauer Rose LLP. National Law Review, Volume V, Number 349
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Ellen H Moskowitz, Health Care, Proskauer Law Firm
Senior Counsel

Ellen Moskowitz is a Senior Counsel in the Health Care Department. She provides a broad range of regulatory, corporate and transactional services to the health industry, social services clients and charitable organizations, such as academic medical centers, health clinics, health plans, pharmaceutical companies and not-for-profit organizations. 

212-969-3232
Mara Wilber, Proskauer Rose, New York, Lawyer, Health Care
Associate

Mara Wilber is an associate in the Health Care Department. Her practice focuses on representing health care clients, including hospitals, academic medical centers, physician organizations, start-ups, pharmaceutical and medical device companies, and other financial institutions and health care organizations. Mara provides legal advice on a wide range of regulatory, transactional and litigation matters, including fraud and abuse compliance, HIPAA and data privacy, telemedicine, Medicare/Medicaid reimbursement, and general corporate and business planning.

...
212-969-3183
Advertisement
Advertisement
Advertisement