Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). They have also agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop.  Lifespan ACE includes many healthcare provider affiliates in Rhode Island, and has designated itself as a HIPAA affiliated covered entity.

On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan ACE, filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop. The laptop contained electronic protected health information (ePHI) including patients’ names, medical record numbers, demographic information, and medication information. This breach affected 20,431 individuals.

OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules. The noncompliance included a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director. 

In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf – PDF.

Adapting to the HIPAA guidelines doesn’t need to be a nuisance. Here at databrackets, our qualified security team can help you get security awareness training for your employees, as well as a careful and cost-effective risk analysis so that you won’t have to worry about a thing. Schedule a consultation with us or request a quote today!

The following two tabs change content below.
Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations. With several years of experience in the IT and health care industries, databrackets is poised to meet the needs of your organization via: - Consulting Services - Online, Do-it-yourself Toolkits for Security Risk Assessment - Education (Training, Webinar, and Workshops) For details on how databrackets can provide customized assistance for your organization, please contact us at info@databrackets.com.