Hartford Hospital, EMC Corp. Fined for HIPAA Violations

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.healthdatamanagement.com/news/Hartford-Hospital-EMC-fined-for-HIPAA-violations-51529-1.html

Connecticut Attorney General George Jepsen has levied a fine totaling
$90,000 against Hartford Hospital and information technology vendor EMC
Corp. for violation of HIPAA privacy and security rules.

The Connecticut action is a reminder to healthcare industry stakeholders
that state AGs have authority to enforce HIPAA, and several are doing so.

The disciplinary action comes after an unencrypted laptop containing
protected health information on nearly 8,900 Connecticut residents was
stolen from the home of an EMC employee in June 2012.

EMC was a business associate to Hartford Hospital, engaged in analyzing
patient data to reduce avoidable admissions of patients with congestive
heart failure. After EMC notified Hartford Hospital of the theft, the
facility realized it had not entered into a business associate agreement
with the vendor, according to the AG office. The hospital contacted
patients whose information was contained on the laptop, and it offered them
credit and identity theft services from AllClear ID.

In addition to each contributing to pay the fine, both organizations also
entered into agreements to enhance the security of protected health
information. Hartford Hospital, for instance, will encrypt files or data
containing PHI before it transmits or transfers such information, a
statement from the attorney general’s office said.

After the incident, Hartford implemented multiple security improvements,
including a process to determine when a BAA is required; new checklists and
questionnaires for determining if a potential vendor meets certain privacy
and security controls; annual mandated training; and contract revisions
that incorporate HIPAA-required business associate provisions into
contracts, among others.

EMC has agreed to “maintain reasonable policies requiring the encryption of
all PHI stored on laptops or other portable devices and transmitted across
wireless or public networks and to maintain reasonable policies for
employees relating to the storage, access and transfer of PHI outside of
EMC premises,” according to the AG statement.

Former Connecticut Attorney General Richard Blumenthal, now a United States
Senator, also targeted healthcare organizations following breaches.
Blumenthal sued insurer Health Net for failure to disclose a large 2009
breach in a timely manner with the settlement calling for a $250,000 fine
and a state approved action plan. Then, the Connecticut Insurance
Department used its state authority to fine Health Net of Connecticut
$375,000.

Former Massachusetts Attorney General Martha Coakely was particularly
active in taking HIPAA enforcement action against covered entities. Beth
Israel Deaconess Medical Center paid a $100,000 fine after a physician’s
laptop was stolen, South Shore Hospital paid fines totaling $750,000 but
with $275,000 credited for investments to improve security, Boston
Children’s Hospital paid $40,000 following the theft of an unencrypted
laptop, and four pathology practices were fined a total of $140,000 for
dumping patient records at a recycling station.

Responding to a request from *HDM*, Hartford Hospital issued the following
comment on the recent action taken by Connecticut AG Jepsen:

“We treat all matters related to patient privacy and confidentiality with
the utmost seriousness. After the incident occurred in 2012, Hartford
Hospital put into place several educational and procedural changes. These
include remedial education, new policies, operational checklists, enhanced
mandatory compliance training, more robust training modules regarding
privacy, new contract templates and additional contracting procedures.

“Hartford Hospital has entered into a voluntary resolution with the
Attorney General’s office to address the issue: the theft of a laptop
computer from a consultant who was working for Hartford Hospital in 2012.
The stolen laptop contained protected health information of about 8,883
patients. There is no evidence that any of the information has been
misused. As the Attorney General’s agreement shows, back in 2012, Hartford
Hospital appropriately notified the patients affected, the Attorney
General’s office and the media of the theft of the laptop.”

Upon request, EMC Corporation also released the following statement on the
settlement:

“EMC has fully cooperated with the Connecticut Attorney General's office
during its review of this matter. While EMC believes it did not violate any
laws, resolving things by agreement was the best course for all involved.
EMC remains fully committed to the privacy and data security of all
customers with which it deals.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!