I was surprised to read this morning that Hospice of North Idaho had settled charges by HHS over a laptop stolen from an employee’s car in the summer of 2010.
I was surprised, in part, because I was not aware of this incident at all as it had not appeared in HHS’s breach tool. Since it occurred after HITECH went into effect, it’s possible that the breach affected less than 500 patients. According to a statement from the hospice reported by David Cole of the Coeur d’Alene Press, the hospice had appropriately reported the incident at the time to HHS.
So why did HHS fine this hospice $50,000? Was it to make some point about leaving laptops in unattended cars? If so, I approve in principal, but why this hospice instead of one of the many other covered entities that have had laptops stolen from cars? At least in this case, it is somewhat more understandable that an employee would have removed patient data from the office as they provide home-based hospice services.
Should the data have been encrypted or otherwise protected? Obviously. And do I agree with the hospice’s statement that “The theft of the laptop was out of our hands?” Obviously not. If you wouldn’t leave your wallet with all your credit cards and IDs in your car to be stolen, you shouldn’t be leaving a laptop with patient information in your car to be stolen. And if you would leave your wallet in your car, I personally don’t think you should ever be trusted with patient data.
But a $50,000 fine for a hospice that self-reported a breach seems harsh, particularly when we think of all the other cases where no fine was imposed.
There is no statement on the hospice’s web site at this time. Nor on HHS’s. I’ve e-mailed both requesting a statement or explanation as to why this breach resulted in a fine and hope we’ll find out more.