Million Dollar Laptop

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Was it made of gold? Encrusted in diamonds? No. Read on to learn how one laptop ended up being worth a massive one million dollars.

The U.S. Department of Health and Human Services (HHS) recently closed an investigation into Lifespan Health System Affiliated Covered Entity for a stolen laptop incident reported back in 2017. That laptop contained…ready for this? …20,431 individual patient records that all contained protected health information (PHI). And it wasn’t encrypted. HAD it been encrypted, this would not have constituted a breach, and while problems would have resulted from the theft, one of them wouldn’t have been a million-dollar fine.

It doesn’t always end with a fine when you’re in violation of HIPAA. All recommended policies and procedures will still need to be implemented, but as in this example, HHS put additional requirements in place. Those include the corrective action plan and two years of monitoring by the HHS Office for Civil Rights (OCR).

Lifespan had a variety of exposed non-compliance issues within their system that were discovered by the OCR investigation, including a lack of encryption on devices. Additionally, business associate agreements were not in place with their related entities.

Encrypt, Encrypt, Encrypt
The OCR has acknowledged that theft occurs daily with devices including laptops, cellphones, and mobile phones. But encryption can reduce the damage done in these cases and lessen the impact to the company and their patients.

Healthcare companies must look at their own business with a whole health perspective. The entire life cycle has to be protected. This includes a solid HIPAA compliance plan that addresses hardware and software from purchase to theft, or loss of use for other reasons. With remote work now a normal part of the business landscape, the risk of “end of life” being out of control of an IT department is to be expected. Employees must know how to handle these situations of disposing of equipment properly, which should be outlined in your policies and procedures.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE