Stolen, Unencrypted Laptop Leads to $850,000 Settlement and Comprehensive Corrective Action Plan for Massachusetts Teaching Hospital

Stolen, Unencrypted Laptop Leads to $850,000 Settlement and Comprehensive Corrective Action Plan for Massachusetts Teaching Hospital
The U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has announced a settlement with Lahey Hospital and Medical Center (Lahey) that arose out of a HIPAA breach involving a stolen laptop. The settlement emphasizes the vulnerability of electronic protected health information (ePHI) and the importance of maintaining a rigorous Security Rule compliance program.
Lahey notified OCR that a laptop was stolen from an unlocked treatment room in its Radiology Department in August 2011. The laptop was located next to a portable CT scanner that the laptop operated. The laptop was not encrypted and contained the protected health information (PHI) of 599 individuals.  
As part of its investigation of the breach, OCR determined that there was “widespread non-compliance” within Lahey with respect to HIPAA, including the following:   
  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard the workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue; and 
  • Failure to implement procedures that recorded and examined activity in the workstation at issue.
In addition to the significant fine, OCR’s Resolution Agreement, announced on November 25, 2015, requires Lahey to do the following over the next two (2) years:
  • Undergo a comprehensive security management process that includes conducting an organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey that incorporates all of the electronic media, workstations, and information systems owned, controlled or leased by Lahey; 
  • Develop a risk management plan; 
  • Develop policies and procedures that, among other things, require Lahey to maintain a record of receipt, removal, and disposition of hardware and electronic media that maintain ePHI into and out of Lahey’s facility, and the movement of these items within its facility; 
  • Training on the policies and procedures developed for all Lahey workforce members who have access to ePHI; 
  • Follow a specific reporting process with respect to any Lahey workforce member who does not comply with the new policies and procedures; and 
  • Prepare an implementation report that memorializes the steps taken by Lahey and attests to Lahey performing the requirements of the Resolution Agreement.  
Lahey is the most recent example of a covered entity that self-reported a HIPAA breach, and the OCR’s subsequent investigation uncovered significant Security Rule compliance failures that contributed to the breach. OCR continues to impose stringent settlement terms on covered entities that do not comply with HIPAA privacy and/or security requirements. 
Saul Ewing has written about recent OCR activities; see:   
Saul Ewing has experience advising covered entities and business associates with respect to HIPAA privacy, security and breach compliance; drafting and reviewing HIPAA privacy, security and breach policies and procedures; and providing training to covered entities, business associates and their respective workforces. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact. 
View Document(s):