Lifespan pays $1M to settle potential HIPAA violations over stolen laptop breach

By | July 29, 2020

Dive Brief:

  • Rhode Island-based Lifespan has agreed to pay $ 1.04 million to settle allegations it potentially violated HIPAA regulations following the theft of an unencrypted laptop.
  • The nonprofit health system notified the HHS Office for Civil Rights in 2017 that a stolen employee MacBook laptop was unencrypted and contained the protected health information of more than 20,000 patients.
  • An OCR investigation concluded there was “systemic noncompliance” with HIPAA and a lack of control over devices regarding this type of issue. Lifespan said there has been no indication that any information has been accessed or used by anyone as a result of this incident, according to a statement sent to Healthcare Dive.

Dive Insight:

In 2019, OCR investigated and obtained a corrective action plan in 235 incidents, according to data with the office. That was down substantially from 2018, though closer to the figures from 2016. 

Lifespan has agreed to a corrective action plan, which includes two years of monitoring, OCR said.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality,” OCR Director Roger Severino said in a statement. The best protection is to encrypt mobile devices to “thwart identity thieves,” Severino added.

Lifespan said the laptop in question was stolen out of an employee’s car in February 2017.

“Both prior to the incident and over the past three years we have taken several steps to further enhance our tactics to protect the security and confidentiality of patient information,” Lifespan said in its statement.

Lifespan is Rhode Island’s largest health system with five hospitals, including one psychiatric facility, and generates annual operating revenue of $ 2.4 billion. Most recently, Lifespan said the pandemic reignited merger talks with Care New England, which also has ties to Brown University’s medical school.

Meanwhile, as providers grappled with the onset of the novel coronavirus, OCR said earlier this year that the office was partially suspending its enforcement of HIPAA as some were overwhelmed with patients.

Healthcare Dive – Latest News