Laptops and other mobile devices containing personal health information have been stolen from long-term care ombudsman programs and other healthcare organizations, including from Concentra Health Services and QCA Health Plan Inc. Now, Concentra and QCA have agreed to legal settlements totaling nearly $2 million, federal authorities announced Tuesday.
Concentra agreed to the larger settlement, $1.7 million. The Texas-based healthcare provider reported in December 2011 that an unencrypted laptop had been stolen from one of its physical therapy centers, according to the settlement resolution document. A subsequent federal investigation alleged that Concentra dragged its feet even after identifying data security risks, according to the Health and Human Services Office for Civil Rights, which oversees health information privacy matters. Specifically, Concentra determined in 2008 that only 434 of nearly 600 company laptops were encrypted, but it did not begin encrypting all devices until 2012, the settlement document states.
Concentra does not admit to any wrongdoing by entering into the settlement, according to the resolution. In addition to the financial penalty, the company has agreed to a corrective action plan to beef up data security.
In a separate case, a thief stole an unencrypted laptop from the car of a QCA employee in 2012, leading to a federal investigation and a $250,000 settlement. The Arkansas-based health insurance company does not admit any wrongdoing, and it also has agreed to a corrective action plan, the Office for Civil Rights announced.
In January, a flash drive and laptop were stolen from an employee of the Michigan Long-Term Care Ombudsman’s Office. The information on the laptop was encrypted, but the information on the flash drive was not, according to the state’s Department of Community Health. The HIPAA breach might have compromised nearly 2,600 people’s information.
The Health Insurance Portability and Accountability Act does not specifically mandate that providers encrypt personal health information, but they are required to pursue alternative safeguards if they do not encrypt, according to the Bureau of National Affairs.