Concentra Health settles HHS charges over 2011 laptop theft breach, to pay $1.7M
Concentra Health Services (Concentra) has agreed to pay OCR $1,725,220 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, and will adopt a corrective action plan to evidence their remediation of these findings.
The settlement stems from an incident on November 30, 2011 (previously reported here) in which a laptop with unencrypted PHI of 870 patients was stolen from Concentra’s physical therapy office in Springfield, Missouri. The PHI included names, Social Security Numbers and pre-employment work-fitness test results of 870 patients.
HHS opened an investigation in May 2012, and found:
(1) Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv)).
(2) Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)).
The settlement contains no admission of guilt by Concentra.
A copy of the corrective action plan (CAP) can be found here (pdf). It includes risk assessment and risk management plan requirements. Of note (to me, anyway), even though HIPAA does not require encryption, the CAP includes this provision:
Encryption Status Update Requirements
1. Within 120 days of the Effective Date, at one year following the Effective Date, and at the conclusion of the one year period thereafter, Concentra shall provide an update to HHS regarding its encryption status, which shall include:
a. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.
b. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.
c. An explanation for the percentage of devices and equipment that are not encrypted.
d. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.