OCR levies $2 million in HIPAA fines for stolen laptops

The U.S. Department of Health & Human Services Office for Civil Rights has levied combined fines of nearly $2 million against two healthcare organizations to settle potential HIPAA violations from unencrypted laptops that were stolen.

"Covered entities and business associates must understand that mobile device security is their obligation," Susan McAndrew (pictured), OCR's deputy director of health information privacy, said in an announcement. "Our message to these organizations is simple: encryption is your best defense against these incidents."

Humana subsidiary Concentra Health Services has agreed to pay $1,725,220 after an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. Though Concentra had conducted multiple risk analyses citing the lack of encryption on its computers and other devices, it had not completed the task of installing encryption, leaving patient information vulnerable throughout the organization. OCR also cited insufficient security management processes in place to safeguard patient information.

OCR also fined QCA Health Plan, Inc. of Arkansas $250,000 after an unencrypted laptop containing personal health information for 148 people was stolen from an employee's car. While QCA encrypted their devices after discovery of the breach, OCR said it failed to comply with multiple HIPAA requirements. It has to submit an updated risk analysis and risk management plan, retrain its work force and document its ongoing compliance efforts.

Forty-six percent of data breaches analyzed in a new Verizon data breach report stem from physical theft or loss of unencrypted devices--with the biggest problem in healthcare. It's saying the healthcare industry needs to get serious about data security.

"[Physical theft and loss] is the biggest hands-down problem in healthcare that we are seeing," Suzanne Widup, senior analyst on the Verizon RISK team, told Healthcare IT News. "It really surprises me that this is still such a big problem. It's one of those things that encryption is such an easy safe harbor. Other industries seem to have gotten this fairly clearly." 

The recent cybersecurity drill CyberRX found, among its lessons, that healthcare organizations need more "freedom" to discuss security issues and best practices, rather than being so focused on liability concerns.

To learn more:
- find the announcement
- read the Healthcare IT News story