QCA Health Plan settles HHS charges stemming from laptop theft breach in October 2011
QCA Health Plan, Inc., of Arkansas, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, agreeing to a $250,000 monetary settlement and to correct deficiencies in its HIPAA compliance program.
On February 21, 2012, HHS received notification from QCA regarding a breach of unsecured electronic protected health information (ePHI).
On May 3, 2012, HHS notified QCA of its investigation, which found:
A. QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule to June 18, 2012.
B. QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011.
C. QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.
If this breach comes as a surprise to you, it’s a surprise to me, too. Note that because this breach affected less than 500, it never appeared on HHS’s public breach tool, and this is the first I’m hearing about this incident. A press release by HHS today explains:
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
A copy of the Corrective Action Plan (CAP) can be found here (pdf).