Unencrypted stolen laptop costs Lifespan more than $1M

The Rhode Island health system has settled with OCR for the HIPAA violation after an employee's computer went missing – with protected health information of 20,431 individuals left accessible.
By Mike Miliard
03:20 PM

Providence, Rhode Island-based Lifespan Health System will pay $1,040,000 and put a corrective action plan in place to settle a potential HIPAA violation with the HHS Office for Civil Rights.

ON THE RECORD
The case involves an employee's stolen MacBook laptop, which was solemn from their car in a public parking lot on February 25, 2017, and never recovered.

"Lifespan ascertained that the employee's work emails may have been cached in a file on the device's hard drive," according to the OCR settlement.

"The analysis revealed that the thieves had access to: patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered to patients. The protected health information on the stolen laptop may have included information for patients across various affiliated provider facilities and belongs to Rhode Island Hospital, Lifespan Pharmacy LLC, retail pharmacies and affiliated hospitals of Lifespan."

In addition to that impermissible disclosure of those 20,431 individuals' PHI, the investigation also indicated that Lifespan has not implemented "policies and procedures to encrypt all devices used for work purposes," according to OCR, nor did it sufficiently track or inventory all devices that access its network that might contain PHI. It also found that Lifespan didn't have the right business-associate agreements in place among its provider affiliates.

Beyond the million-plus monetary settlement, Lifespan will implement a corrective action plan that includes two years of monitoring, according to OCR.

THE LARGER TREND
For years and years, we've been reporting on a steady drumbeat of similar incidents: stolen computers that, had their files been encrypted, could have saved the health systems involved millions in monetary settlements.

Still, for just as long, healthcare organizations have often proved resistant to encryption.

And so, even in recent years, the incidents of theft – and the settlements paid for potential HIPAA Security Rule violations – continue.

Eight months ago, University of Rochester Medical Center agreed to settle for three times what Lifespan did, paying $3 million to OCR for its own failure to encrypt.

"When you see (security breaches) in the news and think, 'What should we do?' it’s not that you need to have the most advanced new technology that doesn’t exist," said former Twitter and Mozilla CISO Michael Coates at the time. "You need to go back to basics and say, 'We know what we need to do.' It’s strong passwords. It’s hashing. It’s good security practices."

ON THE RECORD
OCR Director Roger Severino agrees. In a statement on the Lifespan case, he put it simply:

"Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality," said Severino. "Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.