Stolen Laptop Leads to $2.5M HIPAA Breach Penalty

CardioNet found to have insufficient risk analysis and risk management processes

Data Center Knowledge

April 26, 2017

2 Min Read
Stolen Laptop Leads to $2.5M HIPAA Breach Penalty
A nurse files patient records in Berlin, Germany. (Photo by Adam Berry/Getty Images)

MSPmentor-logo.jpg

Brought to you by MSPmentor

The theft of a laptop computer containing information of nearly 1,400 patients was among two HIPAA breaches that led a Pennsylvania provider of remote heart monitoring to pay $2.5 million, federal authorities said this week.

Malvern-based CardioNet, Inc., essentially had no process at all for securely managing electronic protected health information (ePHI) of the patients it was hired to monitor, at the time the breaches occurred in early 2012, according to investigators from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR).

CardioNet – a covered entity – was found to have insufficient risk analysis and risk management processes, in violation of the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA).

“CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,” OCR officials said in a statement. “Further, the Pennsylvania–based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”

On its website, CardioNet is described as the world’s leading supplier of mobile cardiac outpatient telemetry.

“CardioNet provides the next-generation ambulatory cardiac monitoring service with beat-to-beat, real time analysis, automatic arrhythmia detection and wireless ECG transmission,” the website says. “CardioNet prides itself with helping clinicians prevent morbidity, mortality and disability with rapid diagnosis and treatment of patients with cardiovascular disease.”

The first reported breach occurred on Jan. 10, 2012, when a laptop containing the ePHI of 1,391 people was stolen from a car parked outside of a CardioNet employee’s home.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR director Roger Severino said in a statement.

“Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk,” the statement continued. “This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

OCR did not provide details of the second – larger – breach, which occurred on Feb. 27, 2012, and compromised the ePHI of 2,219 individuals.

An email sent to the OCR press office was not immediately returned.

CardioNet’s settlement brings the amount of HIPAA breach payments collected by OCR thus far this year to $14.3 million.

Last year, the agency collected a record $23.5 million, up from $6.2 million in all of 2015.

This article originally appeared on MSPmentor.

Read more about:

Data Center Knowledge

About the Author

Data Center Knowledge

Data Center Knowledge, a sister site to ITPro Today, is a leading online source of daily news and analysis about the data center industry. Areas of coverage include power and cooling technology, processor and server architecture, networks, storage, the colocation industry, data center company stocks, cloud, the modern hyper-scale data center space, edge computing, infrastructure for machine learning, and virtual and augmented reality. Each month, hundreds of thousands of data center professionals (C-level, business, IT and facilities decision-makers) turn to DCK to help them develop data center strategies and/or design, build and manage world-class data centers. These buyers and decision-makers rely on DCK as a trusted source of breaking news and expertise on these specialized facilities.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like