Large settlement for data breach sends message to lock up laptops and smartphones
■ A case involving a hospital points to a growing problem with the rapid deployment of mobile devices and a lack of attention to their security.
With a $1.5 million settlement agreement over a lost laptop, the Dept. of Health and Human Services is sending a signal to doctors and others that a violation of the Health Insurance Portability and Accountability Act comes with consequences, no matter the reason for it.
A physician with the Massachusetts Eye and Ear Infirmary was traveling abroad in 2010 when his laptop was stolen. There was no evidence that the patient data stored on the computer were accessed. The hospital reported the incident to HHS, prompting an investigation that identified six areas of noncompliance with HIPAA privacy and security rules. HHS and the hospital announced Sept. 17 that they had reached a settlement and that the hospital would pay the $1.5 million and take corrective action to help ensure the security of mobile devices.
The agreement comes at a time when mobile and portable devices are considered one of the most vulnerable areas for breaches. Security of the devices often is overlooked in security assessments.
“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” said Leon Rodriguez, director of HHS’ Office for Civil Rights, in a prepared statement. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
The hospital, which was not required to admit guilt, agreed to address the areas where it was not in compliance. The areas included risk assessment, staff training and review and revision of policies and procedures. One area of data security the hospital missed was encryption. If the stolen laptop had been encrypted, the hospital would not have had to report the incident.
The hospital said in a prepared statement that it was disappointed in the amount of the settlement, given its relatively small revenue. But it also said the case underscores the challenges associated with the deployment of mobile and portable devices.
“The rapid advancement of mobile technology & has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move,” the hospital’s statement said. “It has also created new challenges for the entire health care community in the area of security safeguards.”
Reviews of breaches reported to HHS indicate that mobile and portable devices are becoming one of the most vulnerable areas for security breaches.
One such report was published in August by South Florida accounting firm Kaufman, Rossin & Co. It found that 50% of breaches in 2011 were from laptops or “other” compromised locations that included all mobile devices. For breaches of information on laptops, 95% involved theft; for breaches of “other,” 44% involved theft and 42% involved loss. The report’s authors said they expect the number of breaches involving theft and loss to grow as more mobile devices make their way into health care, “because they are more prone to loss and theft.”
The settlement with the Massachusetts Eye and Ear Infirmary is one of several HHS has reached with practices and hospitals of all sizes that violated HIPAA rules. In April, HHS announced its first enforcement action against a small practice. Phoenix Cardiac Surgery, a five-physician practice with offices in Phoenix and Prescott, Ariz., agreed to pay $100,000 to settle charges stemming from complaints that its appointment calendar with patient names and procedures was made publicly available on its online scheduling system. The practice did not have to admit guilt.