Skip to main content

20-09-2012 | Article

Stolen patient data yields hefty fine for hospital


Full statement

medwireNews: A laptop computer that was stolen from a Massachusetts hospital will end up costing $ 1.5 million, the Department of Health and Human Services (HHS) reports.

The purloined laptop belonging to the Massachusetts Eye & Ear Infirmary (MEEI) in Boston contained unencrypted files that included patient prescriptions and clinical information, amounting to a violation of the Health Insurance Portability and Accountability Act (HIPAA), according to the HHS Office for Civil Rights (OCR).

"In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices. This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom," said OCR Director Leon Rodriguez.

The OCR found that the Harvard-affiliated hospital did not conduct an analysis of the risk to patient or research subject confidentiality from electronic protected health information stored on laptops or other portable devices. The investigators also determined that the hospital did not have sufficient data security measures in place, and did not have adequate incident reporting and response procedures in case of a confidentiality breach.

"OCR's investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the [HIPAA] Security Rule," says an HHS statement.

In addition to the fine, MEEI will have to implement a "corrective action plan" to ensure that electronic patient data are handled securely, in accordance with HIPAA regulations. The hospital will be on probation for 3 years, under the watchful eye of an independent monitor, who will submit semi-annual reports to HHS.

HIPAA grants individual patients the right to protect their health information and determine who has access to the records. The law's security provisions require healthcare institutions to keep electronic records under physical and/or technological lock and key, and to have administrative safeguards to protect personal data.

The acronym-loving HHS also has a Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule that requires data holders to report breaches of protected but unsecured health information to affected patients, the HHS Secretary, and in some instances, to the media.

By Neil Osterweil, medwireNews reporter