Since 2012, the U.S. Department of Health and Human Services (HHS) has issued large monetary fines for violations of the HIPAA Privacy Rule. Some of its biggest fines, in fact, have been due to stolen laptops. In several instances, a single stolen laptop led to fines in excess of $1,000,000. In this post, we'll explore four instances in which stolen laptops lead to HIPAA fines. We'll also discuss why a stolen laptop can incur such heavy penalties.
1) A Stolen Laptop in Massachusetts costs $1.5 MillionOn 17 September 2012, a HIPAA entity in Massachusetts agreed to pay a $1,500,000 fine to settle HIPAA Privacy Rule violations. The cause of the fine? The theft of a single unencrypted laptop containing electronic protected health information (ePHI).
2) A Stolen Laptop in Idaho costs $50KOn 2 January 2013, a HIPAA entity in Idaho agreed to pay a $50,000 fine to settle violations of the HIPAA Privacy Security Rule. The cause of the investigation and subsequent fine was due to a stolen laptop computer containing unencrypted data of 441 patients.
3) $1.7 Million Fine for a Stolen Laptop in MissouriOn 22 April 2014, Concentra Health Services agreed to pay a $1,725,220 fine to settle HIPAA Privacy violations. An investigation by HHS was initiated after receiving word that an unencrypted laptop was stolen from one its offices. Even though the laptop was in an office, the fact its data was unencrypted triggered a hefty HIPAA fine.
4) Laptop Stolen from a car in Arkansas costs $250K
In February 2012, a HIPAA entity in Arkansas agreed to pay a $250,000 settlement for HIPAA Privacy violations. Again, the root cause of the fine was an unencrypted laptop being stolen from a car. The laptop contained, in unencrypted format, electronic protected health information of 148 patients.
HIPAA Fines and Stolen Laptops
The total sum of HIPAA fines paid by these four HIPAA entities came out to $3,525,220. In other words, the data shows it costs an average of $881,305 in HIPAA fines for a single stolen laptop.
What can be done?
We recommend a two-pronged approach to avoid such high HIPAA fines for stolen laptops. First, make sure every laptop in your organization has an encrypted hard drive. As the case in Missouri proved, even if a laptop never leaves the office, it can still be stolen and fines can still be issued. Microsoft provides BitLocker for free with certain versions of Windows. You can read our post " Free Windows Encryption tools for HIPAA Compliance" for more information. The MacOS also includes a utility called FileVault 2 to encrypt the contents of a hard drive. You can read our post on it: " Free Disk Encryption for Mac OS." Secondly, it's apparent in today's society that users, regardless of profession, will take their work home with them. Just like everyone else, users within HIPAA entities need secure access to their data anytime, anywhere. That's where Paubox can come in- we are a HIPAA compliant email solution. You can use Paubox to store and share electronic protected health information (ePHI). In addition, each Paubox plan comes with a Business Associate Agreement. We understand the HIPAA landscape and we are here to help with your compliance needs.