Physician's Stolen Laptop Leads to $1.5 Million Settlement

September 21, 2012

September 21, 2012 — Stolen or lost laptops accounted for roughly 1 in 5 incidents of footloose patient data reported to the federal government in 2011, according to a recent study by the accounting firm Kaufman Rossin.

If that statistic is not enough to convince out-and-about physicians to lock their laptops in their car trunks, the federal government will get their attention with a regulatory hammer. Just ask a group practice affiliated with the Massachusetts Eye and Ear Infirmary (MEEI), a specialty hospital in Boston.

In February 2010, a member of that group practice, now retired, had his unencrypted laptop stolen while he was lecturing in South Korea. The laptop contained demographic and health information on roughly 3600 patients. When it announced the theft 2 months later, MEEI stated that there was no evidence to suggest that anyone had accessed or misused the data in the computer. In addition to apologizing for the data breach, MEEI said it was encrypting laptops connected to its network and educating its staff about limiting the amount of patient information stored on the devices.

Those changes were not enough for the Department of Health and Human Services (HHS). Its Office for Civil Rights, which enforces the security provisions of the Health Insurance Portability and Accountability Act (HIPAA), investigated the case of the filched laptop. The inquiry indicated that MEEI and its affiliated medical group demonstrated "a long-term, organizational disregard for the requirements of the security rule," such as analyzing the risks associated with mobile electronic devices and taking the necessary precautions, according to HHS.

On September 17, HHS announced that MEEI and an affiliated medical group, Massachusetts Eye and Ear Associates, had agreed to pay the government $1.5 million to settle "potential violations" of HIPAA. The Massachusetts providers also agreed to a corrective action plan to stay out of HIPAA trouble in the future.

The settlement represents neither an admission of liability or wrongdoing by the providers nor a concession by the government that the providers did not violate HIPAA.

In a statement posted on its Web site, MEEI said that it has already implemented many of the requirements of the corrective action plan. It called mobile computer technology "both a boon and bane for healthcare providers," helping them work on the run, but also giving them security headaches. MEEI expressed disappointment at the size of the settlement, "given the lack of patient harm discovered in this investigation" and "especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."

An MEEI spokesperson told Medscape Medical News that hospital officials declined to say anything about the settlement beyond what was posted on the Web site.

Don't Forget Smart Phones and Backup Tapes

The laptop swiped from the Massachusetts physician was 1 of 212 data breaches involving more than 500 patients that hospitals, physicians, and other entities covered by HIPAA reported to HHS in 2010, as required under the law. That year, laptops figured into 25% of the breaches, a percentage that dropped to 22% in 2011, according to the study issued by Kaufman Rossin in July. Of the laptop breaches in 2010 and 2011 combined, 97% involved either stolen or lost machines.

In addition to theft and loss, patient data can be compromised through hacking, unauthorized access, and improper disposal.

Laptops are not the only digital gadgets in healthcare that have a habit of wandering off. In 28% of the data breaches in 2011, the data were stored on portable electronic devices, such as smartphones, as well as backup tapes, CDs, DVDS, and X-ray film (a catch-all category labeled "other").

In 86% of these incidents, the device was stolen or lost. The Kaufman Rossin study said that healthcare organizations should consider encrypting these devices or turning to additional controls, such as sharing X-ray images via an Internet "cloud" provider rather than burning them on a CD or DVD.

The study highlights some good news: The number of reported data breaches decreased from 212 in 2010 to 145 in 2011. This trend could mean that healthcare organizations have gotten better at guarding their data, the Kaufman Rossin report states.

However, although the number of incidents declined, the number of individuals affected by compromised data doubled, going from 5.4 million in 2010 to 10.8 million in 2011. The loss of a backup tape containing almost 5 million records in 2011 skewed the tally for that year, the report noted.

Comments

3090D553-9492-4563-8681-AD288FA52ACE

processing....