Lifespan Health System Hit With $1 Million HIPAA FineHefty Penalty After Theft of Unencrypted Laptop
Federal regulators have slapped the Rhode Island-based health system Lifespan with a $1 million settlement tied to a 2017 data breach involving the theft of an unencrypted laptop that potentially exposed the data of 20,000 individuals. The settlement is the largest HIPAA enforcement action by the Department of Health and Human Services so far this year and the second settlement announced within the last week.
In a statement Monday, HHS' Office for Civil Rights says Lifespan also agreed to implement a corrective action plan.
Lifespan operates Rhode Island Hospital and its Hasbro Children's Hospital, The Miriam Hospital, Bradley Hospital, Newport Hospital and Gateway Healthcare.
OCR notes that on April 21, 2017, Lifespan Corp., the parent company of the health provider, filed a breach report with OCR concerning the theft of an affiliated hospital employee's laptop containing electronic protected health information that included patients' names, medical record numbers, demographic information and medication information.
The agency's investigation into the breach also determined that there was "systemic noncompliance with the HIPAA rules, including a failure to encrypt ePHI on laptops after Lifespan ... determined it was reasonable and appropriate to do so," OCR notes.
OCR says it also uncovered a lack of device and media controls.
"Laptops, cellphones, and other mobile devices are stolen every day, that's the hard reality. Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves," said Roger Severino, OCR director.
Under a corrective action plan that's part of OCR's resolution agreement with Lifespan, the healthcare system must take several steps, including:
- Within 90 days, provide proof of encryption and access controls;
- Review and revise written policies and procedures on device and media controls;
- Distribute the policies and procedures to all members of the Lifespan's workforce who use or disclose electronic PHI;
- Provide training to its workforce on the policies and procedures related to ePHI.
Lifespan did not immediately respond to an Information Security Media Group request for comment on the settlement.
So far this year, HHS OCR has announced only three HIPAA settlements. Last week, it unveiled a $25,000 settlement in a case involving an email breach reported nearly a decade ago by Washington, N.C.-based Metropolitan Community Health Services Inc., which does business as Agape Health Services (see: Email Breach Leads to HIPAA Fine for Small Clinic).
In March, OCR announced a $100,000 settlement with the Utah medical practice of Steven A. Porter, M.D. in a case related to a business associate dispute (see: Big HIPAA Fine for Solo Doctor Practice).
Last year, OCR announced 13 HIPAA enforcement actions totaling about $15.3 million. That includes three HIPAA settlements announced by mid-year 2019 totaling $6.1 million.
The failure to encrypt mobile computing and media devices has been the center of several large HIPAA settlements by OCR over the years. That includes a $3 million settlement with the University of Rochester Medical Center in upstate New York in November 2019 and a $65,000 settlement in December 2019 with West Georgia Ambulance.
Steps to Take
With OCR previously issuing so many large settlements in other HIPAA cases involving unencrypted mobile devices, why are some covered entities and business associates still not encrypting this equipment?
In some cases, older unencrypted devices fall through the cracks. Also, some organizations lack good asset inventory controls to ensure that all devices are identified and encrypted, some security experts note.
"Additionally, sometimes the problem is that if the administrative console for managing device encryption cannot definitively prove that a lost or stolen device was encrypted, an organization in that situation has to assume the worst and declare a breach," notes Keith Fricke, principal consultant at tw-Security.
Privacy attorney David Holtzman, principal at the consulting firm HITPrivacy, says the root cause of incidents in which mobile devices are lost or stolen is carelessness. "Accidents happen. People lose stuff. People steal stuff. And that's never going to change," he says. "Considering the frequency of lost devices on which sensitive data is stored, encryption is as close to a no-brainer solution as it gets."
The best approach for preventing data loss from lost or stolen devices, he says, is: "Encrypt devices. Lock them down. Train your workforce to keep their devices with them. Regularly back up your data. Better yet, use remote networks to keep data from having to be saved on a laptop or smartphone."
Healthcare organizations should conduct routine audits of encrypted devices, Fricke stresses. "This can be achieved through periodic review of the management console used to administer encrypted endpoints. Specifically, IT staff should look for devices that have not reported into the encryption console in a while."
The IT department also should work closely with those ordering supplies to make sure that endpoint devices being ordered "are coming through IT upon receipt, so that encryption can be enabled and managed on company-owned devices," he adds.
Finally, both covered entities and business associates need to remind the workforce that ePHI should not ever be saved to the hard drive of their laptop or portable device - and they must not copy confidential information to a personally owned device, he notes.