HHS Smacks Heart Monitoring Firm with $2.5 Million SettlementIt's Second HIPAA Settlement Issued Within the Last Week
The Department of Health and Human Services has smacked a mobile heart-monitoring technology firm with a $2.5 million HIPAA settlement related to findings from an investigation into a 2012 breach involving a stolen unencrypted laptop computer. The hefty fine reflects regulators finding that the organization lacked a sufficient risk analysis and risk mitigation.
The resolution agreement and corrective action plan with CardioNet, based in Malvern, Pa., is the second HIPAA settlement HHS' Office for Civil Rights announced in less than a week, the third in the month of April and the seventh so far in 2017.
On April 21, OCR announced a $31,000 settlement with the Center for Children's Digestive Health in Illinois for a case involving the lack of a business associate agreement with FileFax, a paper record storage vendor.
The Breach Report
CardioNet, which provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, in January 2012 reported to OCR that a staff member's unencrypted laptop containing electronic protected health information on 1,391 individuals was stolen from a parked vehicle outside of the employee's home, OCR says.
But OCR's investigation into the incident "revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft," OCR says in the statement. "Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented." OCR adds that CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
"Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss," Roger Severino, OCR director, said in the statement. "Failure to implement mobile device security by covered entities and business associates puts individuals' sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected."
In a statement provided to Information Security Media Group, OCR says: "As with many of cases that begin following a breach report, OCR's investigations review the overall status of HIPAA compliance within an organization. Many times, OCR finds evidence of more systemic compliance failures and patterns of noncompliance, as in the case of CardioNet. The focus of the CardioNet case is not on the stolen unencrypted laptop specifically, but rather on the overall failure by the organization to finalize and implement policies or procedures to safeguard ePHI, including those for mobile devices. While any particular breach may instigate an OCR investigation, for purposes of cases that proceed to resolution agreements, OCR focuses on other widespread noncompliance."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes that based on details in the resolution agreement with CardioNet, it appears that "OCR had provided CardioNet the opportunity to resolve this matter informally through their voluntary compliance and only took formal enforcement action when CardioNet's compliance activities moved at a pace that was too slow for the agency."
Corrective Action Plan
The resolution agreement with OCR calls for CardioNet to take several corrective actions, including:
- Conduct a current, comprehensive and thorough risk analysis of security risks and vulnerabilities;
- Implement an organizationwide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis;
- Provide HHS with revised policies and procedures and certification that all laptops, flash drives, and other portable media devices are encrypted, together with a description of the encryption methods used;
- Revise and implement its HIPAA training program for its workforce.
OCR has had several previous settlements related to investigations stemming from breaches involving unencrypted computing devices.
That includes the August 2016 $5.5 million settlement with Chicago-based Advocate Health Care related to an investigation into three 2013 breaches. The largest incident, involving four stolen unencrypted computers, affected about 4 million individuals.
In addition, many of OCR's other previous HIPAA settlements also have noted that investigators found a lack of timely, comprehensive, enterprise-wide risk analysis and related risk mitigation.
"As OCR has indicated, the breach merely opens the door to them," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "OCR's settlements generally focus on the perceived root cause of the breach. Accordingly, the size of the breach is often a less important factor, compared to the magnitude of the issues that allegedly led to the breach, and the size of the organization."
Does Size Matter?
The CardioNet breach, which affected fewer than 1,400 individuals, is far smaller than many other breaches reported to OCR. To date, the largest breach reported to OCR was the 2015 cyberattack on health plan Anthem Inc., which affected nearly 79 million individuals.
Because it often takes several years from the time a breach is reported to OCR to the time a settlement is announced, it remain unclear whether some larger breaches, like Anthem's, that affected millions of individuals will also result in OCR taking enforcement action against the organizations.
Much depends on what OCR uncovers during the agency's investigation into these cases, says privacy attorney Kirk Nahra, of the law firm Wiley Rein.
" Size of the breach in terms of people affected is only one of many variables, so it is very hard to make comparisons across the settlements," Nahra notes.
In the CardioNet case, "this is a practice that has been a problem for a long time, so a company that fails to address laptops will likely get hit harder than someone who does something that hasn't been as visual evidence a problem," he says. "Covered entities and business associates should look at the substantive elements of the violation, as far as their planning is concerned. The [settlement] amounts only matter when you are negotiating."
The fact that the CardioNet settlement centers on a breach that occurred five years ago isn't surprising, legal experts say.
"All of the recent settlements - and every settlement we likely will see over the next two years - will involve incidents from two to five years ago," Nahra says.
Greene notes: "There is a pretty lengthy process involved in going to settlement: multiple data requests that occur over multiple years, internal OCR processes for moving an investigation into settlement discussions, time related to presenting and negotiating a settlement agreement, etc."
OCR, which issued a record 12 HIPAA settlements and one civil monetary penalty, in 2016 appears to be continuing its trend toward ramped-up enforcement so far in 2017.
At this time in 2016, OCR had announced six HIPAA enforcement case, compared with seven so far this year, despite a change in HHS' top leadership under the Trump administration (see HIPAA Enforcer OCR Gets New Leadership).
"While I was not surprised to see a number of settlements earlier this year as the Obama administration ended, I will admit that I was expecting a lull under the new administration as a new director came on," Greene says.
"The fact that the pace of settlements has continued suggests a good working relationship between the OCR career staff and the new director on the enforcement side, and that the new administration does not disagree with the current direction of OCR with respect to the enforcement of HIPAA."
Nahra says he doesn't expect "any meaningful change in overall OCR approach - in any direction - unless there is a significant budget or staff cut."