Medical Group Pays $750K Over Patient E-Files Stolen From Car

September 03, 2015

Medical and billing information for 55,000 people literally got out of the bag — a laptop bag — in July 2012 when someone smashed a car window and stole computer backup tapes from a radiation oncology practice in Indianapolis, Indiana.

Last month, Cancer Care Group (CCG) agreed to pay the federal government $750,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services (HHS) announced yesterday.

In addition to handing over the six-figure sum, the 17-physician practice agreed to adopt a "corrective action plan" to better comply with HIPAA, which requires that healthcare providers keep patient data out of the wrong hands. HHS noted that at the time of the theft, CCG was in "widespread noncompliance" with the 1996 law. It had not conducted a risk analysis of its information systems and lacked a written policy on the removal of computer hardware containing patient information from its facilities, "even though this was a common practice in the organization."

The laptop bag stolen from an employee's unattended car contained unencrypted backup tapes storing basic demographic and insurance information, Social Security numbers, and clinical data for 55,000 current and former patients, according to HHS. There also was a laptop computer in the bag, but it did not store any patient information.

CCG reported the breach to HHS in August 2012 and issued a statement saying that there was no evidence that anyone had accessed information on the backup media or used it for fraud. The group also said that it would tighten its data security by, among other things, encrypting mobile storage devices.

"Cancer Care Group deeply regrets that this occurred," CCG said about the incident.

The agreement to settle the case for $750,000 states that it does not represent any admission of liability by CCG, or any concession by HHS that the oncology practice had not violated HIPAA.

The group's executive director did not respond to a request for an interview.

More information on yesterday's announcement by HHS is available on the department's website.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: