Lahey Hospital Fined $850,000 in HIPAA CaseOCR Investigated Theft of Laptop Used to Operate Medical Device
Federal regulators have announced a HIPAA resolution agreement with Lahey Hospital and Medical Center in Burlington, Mass., stemming from an investigation into the theft of a laptop that was used to operate a medical device.
See Also: 2016 Social Engineering Report
The Department of Health and Human Services' Office for Civil Rights says evidence obtained during the agency's breach investigation indicated "widespread non-compliance with the HIPAA rules" at the hospital.
In addition to paying an $850,000 penalty, the provider organization must adopt "a robust corrective action plan to correct deficiencies in its HIPAA compliance program," OCR says in a statement.
The resolution agreement with Lahey is OCR's fourth HIPAA settlement so far this year and 26th since 2008, when the HITECH Act authorized HHS to increase enforcement penalties and gave it the authority to keep what it collects for HIPAA education and enforcement.
Lahey, a not-for-profit teaching hospital affiliated with Tufts Medical School, notified OCR in October 2011 that a laptop was stolen from an unlocked treatment room during the overnight hours on Aug. 11, 2011, OCR says. The unencrypted laptop, which was on a stand that accompanied a portable CT scanner, was used to operate the scanner and produced images for viewing through Lahey's radiology information system and its picture archiving and communication system. The computer's hard drive contained the protected health information of 599 individuals.
OCR says its breach investigation found HIPAA non-compliance issues that included:
- Failure to conduct a thorough risk analysis of all of its ePHI;
- Failure to physically safeguard a workstation that accessed ePHI;
- Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation in this incident;
- Failure to implement procedures that recorded and examined activity in the workstation; and
- Impermissible disclosure of 599 individuals' PHI.
"It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment," OCR Director Jocelyn Samuels says in a statement. "Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity's risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA's standards are in place."
In a statement provided to Information Security Media Group, Lahey notes: "Patient confidentiality is our highest priority. The ... device that was stolen in 2011 contained limited data for approximately 600 patients. The data consisted of names, birth dates and information relating to a specific imaging test. It did not contain Social Security, financial, or any other patient information."
Upon learning of the theft, Lahey immediately remotely deleted data off the laptop and notified each patient, according to the statement. "This was an isolated incident and in the more than four years since the device was stolen, we have no indication that any patients' personal data relating to this situation was accessed," according to the hospital's statement. "We had a number of security measures in place at the time and have taken steps since to improve upon those measures."
Lahey has agreed to a corrective action plan that includes the organization addressing "its history of noncompliance with the HIPAA rules by providing OCR with a comprehensive, enterprisewide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance," OCR says.
The corrective action plan also requires Lahey to provide HIPAA-related training to new workforce members who have access to ePHI within 30 days of beginning their service.
"The overriding lesson from OCR's enforcement actions is that there is an expectation that organizations will apply common sense, cost-effective procedures and solutions to prevent unauthorized access to information systems or safeguard devices from theft," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek says
"We should all look carefully at how we can protect our offices, exam rooms and clinical areas from unauthorized access, putting cable locks on laptops, desktop computers or any small device that stores PHI to deter theft and to encrypt data on computer hard drives or storage media. And [organizations must] perform an accurate and thorough risk assessment that includes within its scope each component of information systems that handle e-PHI."
Some of the HIPAA non-compliance issues that OCR found in its investigation into the Lahey incident are common problems that OCR has found in previous enforcement cases at other covered entities. Those include failure to conduct a timely, comprehensive risk analysis; deficiencies in policy and procedures; and inadequate workforce training.
OCR's other 2015 resolution agreements include:
- A $750,000 settlement announced in September with Indiana-based Cancer Care Group, P.C. for a breach involving a stolen unencrypted laptop that affected 55,000 current and former patients.
- A $218,400 settlement with St. Elizabeth's Medical Center in Boston for two breach cases. Those include an incident affecting 498 individuals that involved staff members using an Internet-based document sharing application to store documents containing ePHI, and the theft of a worker's personally owned unencrypted laptop and storage device containing ePHI of 595 individuals.
- A $215,000 settlement with Denver-based Cornell Prescription Pharmacy for a breach involving inappropriate disposal of paper records containing PHI of about 1,600 patients.
Since 2008, OCR has issued 26 HIPAA enforcement actions involving resolution agreements, plus in one case, a civil monetary penalty. In that case, OCR issued a $4.3 million civil monetary penalty against Cignet Health of Prince George's County, Md., because the clinic failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators.