Massachusetts Hospital Agrees to Pay $1.5m After Stolen Laptop HIPAA Violation

Massachusetts Eye and Ear Infirmary, a Boston-based hospital, agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HSS) earlier this week, settling a HIPAA violation stemming from a 2010 incident.

Massachusetts Eye and Ear Infirmary, a Boston-based hospital, agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HSS) earlier this week, settling a HIPAA violation stemming from a 2010 incident.

The agreement acknowledges that the hospital failed to comply with requirements laid out in HIPAA, the Health Insurance Portability and Accountability Act of 1996.

Two years ago, while a doctor was travelling abroad, his unencrypted laptop — containing information on roughly 3,500 patients, including patients’ prescriptions and other clinical information — was stolen. According to an alert then, the laptop contained no billing information but did contain patients’ names, addresses, telephone numbers, emails and other identifiable information. While it was never confirmed that any patients had their information breached, the hospital still informed HSS of the incident and an investigation was initiated.

That investigation found the hospital failed to comply with six areas of HIPAA between October 2009 and June 2010. MEEI failed to “implement security measures sufficient to ensure the confidentiality of electronic protected health information” and “conduct a thorough analysis of the risk to the confidentiality of electronic protected health information maintained on portable devices,” among other steps, according to a press release issued on Monday.

In addition to paying the $1.5 million, MEEI must also follow a new Corrective Action Plan (CAP) that outlines steps to ensure it complies with HIPAA, perform risk assessment and train its staff. Mass Eye and Ear must also submit to semi-annual audits for three years, according to a post on HHS.gov.

Blue Cross Blue Shield of Tennessee agreed to pay the HHS $1.5 million earlier this year as well. That settlement was in response to a 2009 data breach that compromised the information of a million Blue Cross Blue Shield customers, yet much like MEEI’s incident, there was no clear evidence any of the patients’ information was misused either.

The Government Accountability Office argued in an audit this past summer that the HHS’s Office for Civil Rights (OSR) could be doing a better job regulating its own audits. In its report (.PDF) the GAO claimed the HHS needs to do a better job improving its guidance and oversight.

Suggested articles