Support Centre

USA: HHS fines Lifespan Health System $1M for unencrypted stolen laptop breach in violation of HIPAA Rules

The U.S. Department of Health & Human Services ('HHS') announced, on 27 July 2020, that Lifespan Health System Affiliated Covered Entity had paid $1,040,000 to the HHS' Office for Civil Rights ('OCR') and agreed to implement a corrective action plan to settle violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules ('the HIPPA Rules') as a result of the theft of an unencrypted laptop ('the Settlement'). In particular, the OCR notes that on 21 April 2017, Lifespan Corporation, the parent company and business associate of Lifespan Health System, filed a breach report with the OCR concerning the theft of an affiliated hospital employee's laptop containing electronic protected health information ('ePHI') including patients' names, medical record numbers, demographic information, and medication information, outlining that the breach affected 20,431 individuals. In addition, the Settlement highlights that Lifespan Health System did not, among other things, implement policies and procedures to encrypt all devices used for work purposes, implement policies and procedures to track or inventory all devices that access the network which contains ePHI, and have in place the proper business associate agreements between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of Lifespan Healh System.

You can read the press release here and the Settlement here.