Large settlement for data breach sends message to lock up laptops and smartphones

A case involving a hospital points to a growing problem with the rapid deployment of mobile devices and a lack of attention to their security.

By — Posted Sept. 28, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

With a $1.5 million settlement agreement over a lost laptop, the Dept. of Health and Human Services is sending a signal to doctors and others that a violation of the Health Insurance Portability and Accountability Act comes with consequences, no matter the reason for it.

A physician with the Massachusetts Eye and Ear Infirmary was traveling abroad in 2010 when his laptop was stolen. There was no evidence that the patient data stored on the computer were accessed. The hospital reported the incident to HHS, prompting an investigation that identified six areas of noncompliance with HIPAA privacy and security rules. HHS and the hospital announced Sept. 17 that they had reached a settlement and that the hospital would pay the $1.5 million and take corrective action to help ensure the security of mobile devices.

The agreement comes at a time when mobile and portable devices are considered one of the most vulnerable areas for breaches. Security of the devices often is overlooked in security assessments.

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” said Leon Rodriguez, director of HHS’ Office for Civil Rights, in a prepared statement. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The hospital, which was not required to admit guilt, agreed to address the areas where it was not in compliance. The areas included risk assessment, staff training and review and revision of policies and procedures. One area of data security the hospital missed was encryption. If the stolen laptop had been encrypted, the hospital would not have had to report the incident.

The hospital said in a prepared statement that it was disappointed in the amount of the settlement, given its relatively small revenue. But it also said the case underscores the challenges associated with the deployment of mobile and portable devices.

“The rapid advancement of mobile technology & has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move,” the hospital’s statement said. “It has also created new challenges for the entire health care community in the area of security safeguards.”

Reviews of breaches reported to HHS indicate that mobile and portable devices are becoming one of the most vulnerable areas for security breaches.

One such report was published in August by South Florida accounting firm Kaufman, Rossin & Co. It found that 50% of breaches in 2011 were from laptops or “other” compromised locations that included all mobile devices. For breaches of information on laptops, 95% involved theft; for breaches of “other,” 44% involved theft and 42% involved loss. The report’s authors said they expect the number of breaches involving theft and loss to grow as more mobile devices make their way into health care, “because they are more prone to loss and theft.”

The settlement with the Massachusetts Eye and Ear Infirmary is one of several HHS has reached with practices and hospitals of all sizes that violated HIPAA rules. In April, HHS announced its first enforcement action against a small practice. Phoenix Cardiac Surgery, a five-physician practice with offices in Phoenix and Prescott, Ariz., agreed to pay $100,000 to settle charges stemming from complaints that its appointment calendar with patient names and procedures was made publicly available on its online scheduling system. The practice did not have to admit guilt.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn