Stolen Laptop Leads to $2.5M HIPAA Breach Penalty

Brought to you by MSPmentor

The theft of a laptop computer containing information of nearly 1,400 patients was among two HIPAA breaches that led a Pennsylvania provider of remote heart monitoring to pay $2.5 million, federal authorities said this week.

Malvern-based CardioNet, Inc., essentially had no process at all for securely managing electronic protected health information (ePHI) of the patients it was hired to monitor, at the time the breaches occurred in early 2012, according to investigators from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR).

CardioNet – a covered entity – was found to have insufficient risk analysis and risk management processes, in violation of the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA).

“CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,” OCR officials said in a statement. “Further, the Pennsylvania–based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”

On its website, CardioNet is described as the world’s leading supplier of mobile cardiac outpatient telemetry.

“CardioNet provides the next-generation ambulatory cardiac monitoring service with beat-to-beat, real time analysis, automatic arrhythmia detection and wireless ECG transmission,” the website says. “CardioNet prides itself with helping clinicians prevent morbidity, mortality and disability with rapid diagnosis and treatment of patients with cardiovascular disease.”

The first reported breach occurred on Jan. 10, 2012, when a laptop containing the ePHI of 1,391 people was stolen from a car parked outside of a CardioNet employee’s home.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR director Roger Severino said in a statement.

“Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk,” the statement continued. “This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

OCR did not provide details of the second – larger – breach, which occurred on Feb. 27, 2012, and compromised the ePHI of 2,219 individuals.

An email sent to the OCR press office was not immediately returned.

CardioNet’s settlement brings the amount of HIPAA breach payments collected by OCR thus far this year to $14.3 million.

Last year, the agency collected a record $23.5 million, up from $6.2 million in all of 2015.

This article originally appeared on MSPmentor.