Dive Brief:
- The Office for Civil Rights (OCR) at the HHS settled a case on Monday with wireless cardiac monitoring service provider CardioNet, which involved a laptop that was stolen from a parked vehicle in 2012 and resulted in the exposure the electronic protected health information of 1,391 people.
-
The OCR said the company had “insufficient risk analysis and risk management processes in place at the time of the theft.” The company had not implemented the proper policies and procedures to meet the HIPAA Security Rule. Instead, they were in “draft form” at the time of the theft, said the OCR.
- The settlement of $2.5 million is the first involving a wireless health services provider and it shows companies need to protect their HIPAA information, according to the OCR.
Dive Insight:
The $2.5 million fine of the Pennsylvania-based organization raises some eyebrows. Failing to protect health information properly will cause a swift response from the OCR.
Healthcare organizations need to make sure that protecting patient information is a priority. On-site HIPAA audits are slated to begin this year. Most (80%) of healthcare organizations are planning on increasing their data security spending this year, Thales reported in February.
Security breaches in the healthcare industry have become a bigger problem over the past few years. While data on major health data breaches from the HHS show the number of incidents caused by employee negligence has decreased, employee awareness was the top security threat concern for about 80% of healthcare leaders recently surveyed by HIMSS Analytics for Level 3 Communications. Protenus reported in February this year has been averaging a breach a day.