$2 million HIPAA settlement highlights mobile device risks facing healthcare providers

Share this article:

Laptops and other mobile devices containing personal health information have been stolen from long-term care ombudsman programs and other healthcare organizations, including from Concentra Health Services and QCA Health Plan Inc. Now, Concentra and QCA have agreed to legal settlements totaling nearly $2 million, federal authorities announced Tuesday.

Concentra agreed to the larger settlement, $1.7 million. The Texas-based healthcare provider reported in December 2011 that an unencrypted laptop had been stolen from one of its physical therapy centers, according to the settlement resolution document. A subsequent federal investigation alleged that Concentra dragged its feet even after identifying data security risks, according to the Health and Human Services Office for Civil Rights, which oversees health information privacy matters. Specifically, Concentra determined in 2008 that only 434 of nearly 600 company laptops were encrypted, but it did not begin encrypting all devices until 2012, the settlement document states.

Concentra does not admit to any wrongdoing by entering into the settlement, according to the resolution. In addition to the financial penalty, the company has agreed to a corrective action plan to beef up data security.

In a separate case, a thief stole an unencrypted laptop from the car of a QCA employee in 2012, leading to a federal investigation and a $250,000 settlement. The Arkansas-based health insurance company does not admit any wrongdoing, and it also has agreed to a corrective action plan, the Office for Civil Rights announced.

In January, a flash drive and laptop were stolen from an employee of the Michigan Long-Term Care Ombudsman's Office. The information on the laptop was encrypted, but the information on the flash drive was not, according to the state's Department of Community Health. The HIPAA breach might have compromised nearly 2,600 people's information.

The Health Insurance Portability and Accountability Act does not specifically mandate that providers encrypt personal health information, but they are required to pursue alternative safeguards if they do not encrypt, according to the Bureau of National Affairs. 

Share this article:

More in News

MedPAC discusses limiting patients' post-acute options

MedPAC discusses limiting patients' post-acute options

Medicare rules might have to be relaxed to give hospitals more say in where patients go for post-acute care, members of the Medicare Payment Advisory Commission proposed at a recent ...

Nursing home workers told not to touch residents due to Ebola concerns

U.S. nursing home workers who hail from West Africa are being stigmatized as potential Ebola carriers and forbidden from touching residents, according to IRIN, an independent news service launched by the United Nations Office for the Coordination of Humanitarian Affairs.

Former office manager charged with embezzling half a million dollars from residents

The former business office manager of a Michigan nursing home has been charged with embezzling more than $460,000 from the resident trust fund, the state's attorney general announced last Thursday.