Stolen Laptop Bag Leads to $750,000 Fine for Oncology Group

September 14, 2015

On September 2, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a substantial settlement with an Indiana-based oncology group, Cancer Care Group, P.C. (CCG). Under the terms of the settlement, the group paid $750,000 in fines and has agreed to adopt a lengthy corrective action plan detailed in a resolution agreement.

The CCG settlement comes after an OCR investigation revealed potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. OCR opened its investigation following a report that a CCG workforce member left a laptop bag unattended in his car, where it was stolen by a third party. The laptop bag included the member’s computer, which was encrypted and did not contain electronic protected health information (ePHI), and a computer server backup media, which was not encrypted and contained the ePHI of approximately 55,000 individuals. The OCR investigation revealed that CCG failed to properly secure the ePHI contained on the backup media, and did not have in place a written policy regarding the removal of hardware and electronic media containing ePHI into and out of its facilities. The investigation also revealed that CCG failed to conduct an assessment or implement policies and procedures addressing the incident. Accordingly, OCR concluded that CCG was in widespread noncompliance with the HIPAA Security Rule.

In addition to paying $750,000, CCG agreed to implement an extensive Corrective Action Plan (CAP). The CAP includes CCG’s commitment to conduct a thorough analysis of security risks and vulnerabilities relating to the storage, transmission and receipt of ePHI and to provide a report to HHS for approval within 90 days. Based on the findings of the report, CCG will review and revise its policies, procedures and training programs, and submit proposed revisions to HHS for review and approval. In addition, CCG has agreed to submit annual reports for three years regarding the status and findings of CCG’s compliance with the CAP.

The recent CCG settlement is another example of increased emphasis that OCR is placing on security of PHI stored electronically. Following this incident, OCR Director Jocelyn Samuels warned that “[o]rganizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information” and advised that “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

If you need assistance with the implementation of a compliance program to minimize risks to health information privacy and security, please do not hesitate to contact one of the authors of this article.