Employers Pay $1.9 Million in HIPAA Settlements After Theft of Unencrypted Laptops

Author: Gloria Ju

May 7, 2014

Employers that fail to encrypt laptops and other mobile devices containing personal health information (PHI) can pay a high price for potential Health Insurance Portability and Accountability Act (HIPAA) violations. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced two settlements - totaling almost $1.98 million - against employers that had unencrypted laptops containing electronic PHI (ePHI) stolen.

OCR began investigating Concentra Health Services (Concentra) after receiving a breach report that an unencrypted laptop was stolen from its physical therapy facility in Springfield, Missouri. OCR found that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk. While Concentra had begun to take steps to begin encryption, its efforts were incomplete and inconsistent over time, leaving patients' PHI vulnerable throughout the organization. OCR also found that Concentra had insufficient security management processes in place to safeguard patient information. Concentra agreed to pay OCR $1,725,220 and to adopt a corrective action plan, which includes employee security awareness training, to remedy the security issues.

OCR also investigated QCA Health Plan, Inc. (QCA) of Arkansas after receiving a breach report that an unencrypted laptop containing 148 individuals' ePHI was stolen from an employee's car. While QCA encrypted its devices following discovery of the breach, OCR found that QCA failed to comply with multiple requirements of HIPAA's Privacy Rule and Security Rule, beginning from the Security Rule compliance date in April 2005 and ending in June 2012. According to the resolution agreement, QCA agreed to pay $250,000. It is also required to:

  • Provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to, and vulnerabilities of, its ePHI;
  • Retrain its employees; and
  • Document its ongoing compliance efforts.

Mobile device security is the obligation of covered entities and business associates, and encryption is the best defense against these incidents, stated OCR.