Stolen Laptops Lead to Nearly $2M In HIPAA Settlements

gold-dollar-signStolen laptops are a concern for every business – the loss of proprietary data, compromised employee or client information and concerns over access into the business’s network, if they theft isn’t reported right away to IT staff, are just a few of the ways a lost or stolen laptop can damage a business.

However if your business is in the Medical Industry the damage can be exponentially worse, as it was for two recent cases where the U.S. Department of Health and Human Services settled with two entities for total of nearly $2,000,000 USD as a result of potential HIPAA violations after laptops were stolen.

The first of the two incidents involved Concentra Health Services, who had an unencrpyted laptop stolen from it’s Springfield Missouri Physical Therapy Center.  During the investigation of this incident it was determined that Concentra had previously acknowledged via risk analyses that their lack of encryption on devices containing Electronic Protected Health Information (ePHI) was a serious risk.  Concentra had begun the process of encrypting ePHI but the efforts had been “inconsistent” resulting in insufficient security in place to safeguard patient information.  To settle these potential violations Concentra agreed to pay $1,725,220 and put in place an action plan to remediate these issues.

The second incident involved QCA Health Plan, Inc. of Arkansas, who reported in February 2012  that a laptop containing ePHI records of 148 individuals had been stolen from an employee’s car.  Upon investigation it was determined that QCA had failed to comply with multiple HIPAA rules with the beginning compliance date of April 2005 and ending June 2012.  QCA Health Plan, Inc. agreed to pay a $250,000 USD settlement and was required to provide Health and Human Services with an updated risk analysis and risk management plan.

In the last few months we’ve covered some of the cyber attacks in the US and around the world; several of these attacks have involved the medical industry:

  • February 2014 – Lost thumb drive compromises 3598 Texas Cancer Center patients
  • February 2014 – Laptop stolen at St. Vincent’s Indianapolis hospital, 1100 patient’s information compromised
  • February 2014 – St. Joseph Health System hacked, over 400,000 patients and employees personal information compromised
  • February 2014 – Assisted Living Concepts had an incident of unauthorized access
  • March 2014 – Franciscan Medical Group employees responded to a phishing scam
  • April 2014 – Lubbock Cardiology Clinic had unauthorized access of their Electronic Health Record System
  • April 2014 – Centura Health employees responded to a phishing scam
  • April 2014 – Midwest Orthopaedics at Rush notified patients a doctor’s email had been accessed by an outside individual

If the Concentra Health Services and QCA Health Plan settlements are any indication, many of these recent breaches may appear on the Health and Human Services list of settlements in the next couple of years.

A few years ago a local doctor’s office had an external hard drive assigned to an employee every night to be taken home.  This seemed like common sense to protect the backed up company and patient data on the server in case of fire or theft.  Unfortunately, one night this employee left the external hard drive in their car which was subsequently broken into (very similar to the Concentra incident).  This doctor’s office had to notify all their patients and employees of the loss and potential breach of their personal information.  But all things considered this case could have been worse, had Health & Human Services been involved at the time this could have resulted in a business ending settlement or fine.

The important take away is if you’re in the medical industry bound by the HIPAA laws now is the time to make sure you’ve done everything necessary to protect your business’s and patients’s data and avoid the chance of having to pay a large fine or settlement.



  1. Top Speed Reply

    From the Agreement: “Payment: Concentra agrees to pay HHS the amount of $1,725,220 (Resolution Amount). Concentra agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.”

    To read the full Agreement between Health & Human Services and HHS:

Leave a Reply

Your email address will not be published.

Back to top