Technology Blog »

Stolen Laptop Bag Results in $750,000 HIPAA Fine


Recently, The HHS Office of Civil Rights (OCR) issued a press release announcing a $750,000 HIPAA settlement with Cancer Care Group, P.C.

This large fine offers some a very important lessons:

Take a closer look:

  • Cancer Care Group is a mid-size practice with only 18 physicians.  It is important to note the size of the organization and that this was not the typical large organizations that we are used to reading about
  • Many smaller practices and other small related practices  incorrectly believe that large HIPAA fines are only handed out to hospitals and very large healthcare organizations
  • The HIPAA fine was triggered by a stolen laptop bag that contained unencrypted backup media which contained information on 55,000 patients

What Happened?:

On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, SOCial Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

*** Most malpractice or general liability insurance policies DO NOT cover HIPAA related fines. Unless Cancer Care Group had a specific insurance policy that covers HIPAA related fines, they will most likely have to pay this fine out of their own pocket. But even if they had HIPAA insurance there is a chance that the insurance company will not pay the fine due to gross negligence

OCR has been sending  very clear messages to healthcare organizations

If you have a data breach and OCR finds that you have ignored HIPAA requirements, there is a good chance that you will be handed a very large fine. 

Data breaches can happen due to lost or stolen laptops and USB drives, they can happen due to someone breaking into an office and stealing computers, they can happen due to employee mistakes, and they can happen if someone hacks into an organization’s network.

The chance of a data breach increases every day. If OCR investigates the data breach they will want proof that the organization has complied with HIPAA regulations and that they have put in place safeguards to properly protect patient information. Breaches happen and many times OCR investigates and does not hand out any fines. But as this case shows, if OCR finds that you ignored HIPAA regulations you may be facing serious legal troubles.

Contact your Technoloy Professionals and make sure you are doing what you need to do to be in HIPAA compliance.