HIPAA Compliance and the Million Dollar Laptop

How a single lost device cost a healthcare provider big money.

August 14, 2020 • Published by

One. Million. Dollars.

I must admit that when I sat down to write this blog post I felt a bit silly writing out the title “The Million Dollar Laptop.” This is not a post about a wildly overpriced and new, barely changed, or updated piece of tech that Apple is releasing, or some exorbitant gaming laptop that you are hoping to purchase to play Fortnite or Minecraft. No, this is about the simple neglect of a lost device. Neglect that cost a healthcare organization $1,040,000.00.

In the spring of 2017, Lifespan Health System Affiliated Covered Entity (Lifespan ACE) filed a breach report to the US Department of Health and Human Services Office of Civil Rights (HHS OCR) reporting that an employee was the victim of theft of a hospital laptop containing ePHI. The report indicated that 20,431 individuals were affected as a result of the lost device.

The OCR, as they are inclined to do, performed an investigation as a result of the breach report and ordered Lifespan ACE to pay $1,040,000.00 as part of a resolution agreement for the systemic non-compliance with HIPAA across the organization, the failure to encrypt ePHI on laptops, the lack of device and media controls, and the failure to ensure that Lifespan Corporation (Lifespan ACE’s parent company) had business associate agreements in place.

In addition to the million-dollar resolution, Lifespan ACE agreed to a corrective action plan to ensure that Lifespan ACE corrects any non-compliant and insecure findings as a result of the OCR investigation.

Not Your Typical Cyber Crime

When I talk about data security breaches it is easy for people to conjure up the image of some Guy Fawkes masked hacker locked away in a dark room filled with Doritos, matrix code, and Prodigy’s Firestarter thumping loudly in the background… While hackers like this certainly do exist, it is important to note that it’s much easier to be breached or have a security incident if you have failed to properly secure the most basic of things in your business. In fact, many breaches are directly or indirectly caused by negligence (willful or otherwise) of improperly trained employees using technologies that have not been fully protected and hardened.

It is fair to say that I do not know all the minor details surrounding the theft of the hospital laptop discussed here, but I am confident in saying that a lost device is not always avoidable. What is avoidable is the severe lack of protections that we as entities can persist in our people, technologies, and processes.

I can also comfortably say that if an IT and compliance team had gone to executives and requested one million dollars for the purchase of a new laptop, they would be laughed out of the room. They would probably even be replaced with someone viewed as more competent to do the job, and who wasn’t going to waste money on such an expensive piece of equipment!

My advice to you, dear reader, is to take advantage of your time and the resources available to you now and ensure that you are protecting yourself, your organization, and individuals (patients or clients). Save yourself the heartache and the steep cost of a breach, and be proactive in your data security and compliance.

Do you have an ongoing HIPAA security and compliance program that allows you and your organization to move forward with confidence? If not, I invite you to have a discussion with a security and compliance expert. Click here to get started.