In the first HIPAA settlement involving a wireless health services provider, a cardiac monitoring device manufacturer agreed to pay $2.5 million to settle violations that traced back to a stolen employee laptop.
CardioNet, which manufactures wireless devices that provide real-time cardiac monitoring and analysis, agreed to the settlement five years after the company reported a laptop stolen from an employee’s car that contained health data for more than 1,300 individuals, according to a release from the Department of Health and Human Services.
A subsequent investigation by the Office for Civil Rights (OCR) found that CardioNet had insufficient risk-analysis and risk-management processes in place, and the company’s policies and procedures outlining HIPAA standards were still in draft form. CardioNet also did not have any final policies for safeguarding patient data in mobile devices.
In 2013, the Pennsylvania-based company changed its name to BioTelemetry Inc.
“Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a release. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
The company also entered into a corrective action plan requiring it to conduct a risk analysis, develop and implement a risk management plan, revise its employee training program and implement secure device and media controls.
Healthcare entities have seen an increase in HIPAA enforcement as of late. The CardioNet resolution marks the seventh multimillion-dollar settlement with OCR in the last year, including a $5.5 million settlement with Memorial Healthcare System in February and a $2.14 million settlement with St. Joseph Health in October.
Earlier this month, HHS announced a $400,000 settlement with Colorado-based Metro Community Provider Network.