Small Provider’s Stolen Laptop Leads to One Million Dollar HIPAA Fine

A $1,040,000 fine for a fairly small provider. That’s the number we’ll be talking about in this blog. Ready to keep reading? 

In the latest newsworthy breaches, Lifespan Health System Affiliated Covered Entity (Lifespan ACE) recently agreed to a large settlement over HIPAA violations. Based in Rhode Island, Lifespan ACE is a non-profit system and includes many healthcare provider affiliates in Rhode Island. The organization paid a hefty sum of $1,040,000 to the Office of Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential HIPAA Privacy and Security Rules violations, all related to the theft of an unencrypted employee laptop. 

HIPAA violations are always taken seriously, as they typically involve a leak of patient medical information or credentials, considered the utmost of sensitive data in the health industry. After a hospital employee’s laptop was stolen, Lifespan filed a breach report with the Office of Civil Rights (OCR). The laptop was reported to contain patient names, demographic information, medical record numbers, and medication information, and estimated to affect some 20,431 individuals due to the breach. 

Report of a breach to the OCR will spark a formal investigation of the organization in question when HIPAA violations are suspected. Findings revealed a systemic lack of compliance with HIPAA rules, which likely led to the risk for sensitive medical data to be leaked from an employee’s laptop in the first place. Lifespan was found to be noncompliant in encrypting ePHI on laptops and a lack of media and device controls among employees. 

As with any investigation, the OCR looks into the controls in place to protect a medical organization against the inevitable breach or loss of devices. Mobile devices and laptops are stolen every day–the issue in question was that controls that were not in place to protect sensitive data when this inevitably happened. 

As with most HIPAA breaches, LifeSpan was not off the hook with a large money payout. They have also had to expedite rollout of a monitoring plan and additional corrective actions to prevent similar breaches from happening in the future. This resolution agreement can be read here. You can also read the original report of the breach by clicking here

PK Tech Q&A

Q: How does this apply to your business?
A: Failing to follow the simplest of controls, such as encrypting laptops with protected data on it, can put you out of business (or at cost you a lot of $). It’s time to take cybersecurity & HIPAA compliance more seriously and get ahead of simple breaches like this.

Q: Only large businesses get in trouble for HIPAA violations; why should I care?
A: This involved only 20k records — this was not a large breach. Most HIPAA breach headlines are regarding millions of records. This was only 1.6% of the size of the largest breach in 2019. 

If you exported your patient list with addresses on to your laptop, and your laptop was stolen/lost, you would be in the same boat as the referenced breach victim. They paid one million dollars out of pocket to settle with the US Government in place of following basic IT safeguards mandated by HIPAA. It would be best if you emphasized prevention and actively work on your HIPAA compliance.

Q: I can’t afford or don’t have time to deal with all these extra IT safeguards in my practice; what should I do?
A: HIPAA compliance should be factored into your business plan at this point, just like general business insurance. If you can’t afford to comply with HIPAA, you can’t afford to legally operate in a regulated industry reimbursed by health insurance plans. 

Regarding the lack of time, start with working with a legitimate IT Company that knows this subject. Share the burden, and work toward HIPAA compliance over time using proven processes. Implementing managed disk encryption on one laptop can cost less than $120/year. Surely the referenced company involved in the breach would love to travel back in time and spend $120/year instead of $1 million + destruction of their reputation. 

Q: I have insurance for HIPAA breaches; how does this event affect me?
A: Insurance doesn’t repair your reputation (although it may cover efforts toward rebuilding it). If gross negligence is discovered, and fines are assessed, your insurance policy will likely not help you. In the policy, you agreed that you were performing annual HIPAA security risk assessments. We find a lot of businesses will blindly sign and not follow up with what they agreed to. We recommend leaning less on an insurance policy and more on actively working toward complying with HIPAA and staying out of the headlines.

At PK Tech, we work with many healthcare providers who are required to abide by HIPAA regulations. If your clinic or medical institution has IT security questions specific to HIPAA, PK Tech is here to help. 

You can also learn more about our HIPAA services, or download our free HIPAA eBook, by visiting our resource page on our website here