Lahey Clinic computer theft leads to $850, 000 HIPAA settlement

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.modernhealthcare.com/article/20151130/NEWS/151139998

Lahey Hospital and Medical Center has agreed to pay $850,000 in a
settlement with HHS' Office for Civil Rights to resolve alleged privacy and
security violations stemming from the theft of a laptop computer with
unencrypted patient records.

The Burlington, Mass.-based health system also entered into a corrective
action plan to address other privacy and security issues raised during the
breach investigation.

According to a 10-page settlement agreement
<http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY/lahey.pdf>,
Lahey reported to the federal agency on Oct. 11, 2011, that an unencrypted
laptop used with a computerized tomography scanner had been stolen from an
unlocked treatment room in Lahey's radiology department.

Lahey “impermissibly disclosed” electronic medical records of 599
individuals “for a purpose not permitted by the privacy rule” under the
Health Insurance Portability and Accountability Act, the agency alleges in
the agreement. The Civil Rights Office is the primary federal enforcement
agency for privacy, security and breach notification rules under HIPAA.

The agency also alleged that Lahey had failed to meet a number of other
HIPAA requirements, including not conducting “an accurate and thorough”
security risk analysis, failing to assign “a unique username for
identifying and tracking user identity” on the stolen computer and failing
to “implement a mechanism to record and examine activity” on the computer.

The Lahey settlement comes just a couple of months after Cancer Care Group,
a radiation oncology practice in Indiana, paid $750,000
<http://www.modernhealthcare.com/article/20150902/NEWS/15090997> to settle
potential HIPAA violations also involving a stolen computer and storage
media holding about 55,000 patient records.

According to the Civil Rights Office's list of major breaches involving the
medical records of 500 or more individuals, the records of more than 154.1
million individuals have been exposed in 1,401 incidents since records
started being kept in September 2009.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!