Stolen Laptops Lead to Multi-million-dollar HIPAA Settlements

October 19th, 2016

The Feinstein Institute for Medical Research in Manhasset, NY, entered into a $3.9 million dollar settlement with the U.S. Department of Health and Human Services (HHS) after a laptop computer was stolen from an employee’s car.

The laptop contained patient names, dates of birth, addresses, Social Security numbers, diagnoses, lab results, medications, and other medical information of 13,000 patients. The institute lacked policies and procedures for authorizing staff access to electronic PHI, and failed to restrict access to authorized users.

In a related case, North Memorial Hospital Health Care of Minnesota agreed to a $1.55 million dollar settlement for a HIPAA violation. It is the first case for a hospital or covered entity to enter into a settlement for failure to execute a business associate agreement (BAA).

The investigation started in September 2011 after receipt of a breach report after an unencrypted, password-protected laptop that contained the PHI of more than 9,600 patients was stolen out of a locked car that belonged to an employee of a business associate. There was no business associate agreement. The hospital did not conduct a risk assessment, even though the business associate had access to about 290,000 patient medical records.

OCR announced that business associates will be targeted in its next round of privacy and security audits, and has contacted hospitals for information on their covered entities. Audits are conducted to verify hospitals and other covered entities are in compliance with HIPAA rules.

Hospitals and other covered entities should ensure they have appropriate business associates contracts signed and are following the HIPAA requirements related to business associates. HHS offers model business associate agreement language at: http://1.usa.gov/1PfLUk8, as well as guidance on conducting a HIPAA Risk Analysis at: http://bit.ly/1dB9eg3.