Seattle health system will pay $100K HIPAA fine

A Seattle-based health system has agreed to pay a $100,000 HIPAA fine--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes and laptops being lost or stolen repeatedly. In light of these incidents, the health system will now revise its policy on transporting patient records outside of company buildings, and it will improve employee training. It will also undergo security monitoring by the feds, and turn in report on data security measures for three years.

The fine that will be paid by Providence is actually fairly unusual, as very few HIPAA fines have actually been imposed to date. However, its security issues are also unique. While many health organizations have lost a single laptop or backup tape to theft or disorganization in recent years, I haven't encountered any that have actually had to report multiple losses. That might explain why federal monitors took a particular interest in this organization's troubles.

To learn more about the HIPAA settlement:
- read this Seattle Post-Intelligencer piece

Related Articles:
IT staffer fired after data theft, sues hospital
Tenet warns of potential data theft
VA pledges better data security
Johns Hopkins investigates data breach