Global Edition
Privacy & Security

Why did Lifespan Health face such a stiff HIPAA penalty for a stolen laptop?

On the surface, like with other HHS settlements, it may seem harsh, regarding only the amount of money vis-a-vis the number of patients affected. But it's important to consider what OCR is trying to accomplish.
By Shawn Tuma
July 29, 2020
10:00 AM

The United States Department of Health and Human Services recently reached an agreement with Lifespan Health System Affiliated Covered Entity in which Lifespan agreed to pay the HHS Office for Civil Rights $1,040,000 and adopt a corrective action plan in the wake of a data breach that exposed over 20,431 patients' protected health information.

The breach occurred when an employee's unencrypted laptop was stolen. It contained electronic protected health information – including patients' names, medical record numbers, demographic information and medication information.

On the surface, this settlement, like many other OCR settlements, may seem harsh when people look at only the amount of money vis-a-vis the number of patients affected. In the world of HIPAA breaches, and data breaches in general, 20,431 affected individuals is not a large breach. And for a stolen laptop? Laptops get stolen every day, right?

It has become quite common for those who find themselves in the crosshairs of an HHS investigation to say that the agency acts too harshly, and that the money HHS is fining companies would be better spent on those companies' security practices.

Unfortunately, those who feel this way do not understand what OCR and most other regulatory agencies are trying to accomplish – which leads to the key takeaway from this settlement.

HHS is trying to get companies to comply with the law and, more broadly, their obligation to protect the sensitive information that people have entrusted to them. We have handled numerous cases where it could have imposed penalties on companies but did not because it was clear that the companies were being diligent and were trying to get it right.

They may not have gotten it right. There may have been breaches that exposed patients' information. But they were trying.

Now, looking at the agency's actions through this lens, consider the following details HHS provided about the Lifespan ACE case:

  • "OCR's investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so."
  • "OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation."

"'Laptops, cellphones, and other mobile devices are stolen every day, that's the hard reality. Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves,'" said OCR Director Roger Severino in a statement about the case.

Mistakes happen every day. Everyone understands that when it comes to cybersecurity there is no such thing as being completely secure.

But, when an entity recognizes that it has significant vulnerabilities that are likely to lead to the compromise of the privacy of people's sensitive information, it has to take it seriously and act diligently in mitigating those vulnerabilities. It has to try to get it right. If it doesn't make a good-faith effort, it will likely pay a price for it when something bad happens.

Shawn Tuma is a partner at Spencer Fane LLP, in the firm's Dallas office, representing a wide range of clients across the U.S. and globally in dealing with cybersecurity, data privacy, data breach and incident response, regulatory compliance, computer fraud-related legal issues and cyber-related litigation.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Wes Cronkite of TruBridge on AI
AI & ML Intelligence
Highlighting rural voices is imperative for equitable, bias-free healthcare AI

Most Read

Change Healthcare cyberattack still impacting pharmacies, as H-ISAC issues alert
OCR settles its 2nd ransomware investigation, probably not the last
A focus on precision medicine: Australia redefines National Digital Health Strategy
NIST updates Cybersecurity Framework with Version 2.0
HIMSS24 Europe: Interoperability takes centre stage in Rome
HSCC publishes 5-year healthcare cybersecurity strategic plan

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

More Stories

Andrew Schultz at PatientPoint_Patient listening to nurse photo by SDI Productions/Getty Images
How a connected engagement ecosystem can empower better health
A nurse attending to a patient in the San's Poon Day Infusion Centre
Managing a safe transition to new treatment guidelines
Dr. Monika Sonu at Healthinnovation Toolbox_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How to build digital health tools with the clinician in mind
Healthcare data exchange
ONC pubs Common Agreement v2.0, with regs for FHIR exchange
Female nurse in grey scrubs on rests on a couch with her head back
Take these steps to reduce unproductive charting for nurses, says KLAS
Prevounce Founder Daniel Tashnek on RPM coding
New codes from the AMA could mean more RPM reimbursement by 2025
Person at a desk with a laptop crunches numbers on a calculator
Small medical practices will close because of Change cyberattack, says AMA
MaryAnn Connor at Memorial Sloan Kettering Cancer Center_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Care problems become technology systems via nurse informaticists