$2 million HIPAA settlement highlights mobile device risks facing healthcare providers

Share this article:

Laptops and other mobile devices containing personal health information have been stolen from long-term care ombudsman programs and other healthcare organizations, including from Concentra Health Services and QCA Health Plan Inc. Now, Concentra and QCA have agreed to legal settlements totaling nearly $2 million, federal authorities announced Tuesday.

Concentra agreed to the larger settlement, $1.7 million. The Texas-based healthcare provider reported in December 2011 that an unencrypted laptop had been stolen from one of its physical therapy centers, according to the settlement resolution document. A subsequent federal investigation alleged that Concentra dragged its feet even after identifying data security risks, according to the Health and Human Services Office for Civil Rights, which oversees health information privacy matters. Specifically, Concentra determined in 2008 that only 434 of nearly 600 company laptops were encrypted, but it did not begin encrypting all devices until 2012, the settlement document states.

Concentra does not admit to any wrongdoing by entering into the settlement, according to the resolution. In addition to the financial penalty, the company has agreed to a corrective action plan to beef up data security.

In a separate case, a thief stole an unencrypted laptop from the car of a QCA employee in 2012, leading to a federal investigation and a $250,000 settlement. The Arkansas-based health insurance company does not admit any wrongdoing, and it also has agreed to a corrective action plan, the Office for Civil Rights announced.

In January, a flash drive and laptop were stolen from an employee of the Michigan Long-Term Care Ombudsman's Office. The information on the laptop was encrypted, but the information on the flash drive was not, according to the state's Department of Community Health. The HIPAA breach might have compromised nearly 2,600 people's information.

The Health Insurance Portability and Accountability Act does not specifically mandate that providers encrypt personal health information, but they are required to pursue alternative safeguards if they do not encrypt, according to the Bureau of National Affairs. 

Share this article:

More in News

Nursing home antipsychotic use has dipped nearly 19% under national effort, latest figures show

Nursing home antipsychotic use has dipped nearly 19% ...

The percent of long-stay nursing home residents receiving antipsychotic medication has decreased 18.8% under a nationwide initiative that started in 2012.

Jimmo succeeds in getting Medicare coverage, two years after landmark case ended

Glenda Jimmo has reached a settlement with the federal government and will finally receive Medicare coverage for claims that were denied in 2007, which led her to file a class-action lawsuit over the so-called "improvement standard."

Breier named new CEO at Kindred

Breier named new CEO at Kindred

Kindred Healthcare announced Thursday that it has chosen a new top executive to lead its push toward creating a mammoth national brand. Benjamin A. Breier, the company's current president and ...