If the allegations are true/founded, then at the very least Dynacare should have to explain whether it had a policy in place that would have required the flash drive to be encrypted, and if so, how it monitored for compliance with that policy. Was this a work-issued flash drive or personal one? And if work-issued, had it been configured for encryption?
Did Dynacare’s policies prohibit leaving devices with ePHI in unattended vehicles? And if so, how did Dynacare monitor for compliance?
How often were employees (and the employee in question) trained and re-trained on data security and privacy?
And why did it take Dynacare 24 days to notify the city of the theft? Did Dynacare have a written breach response plan in place before the incident? If not, and as yesterday’s HHS settlement with APDerm shows, OCR may enforce.
Taking it back a step, will HHS OCR look at Froedtert to see their BA contract with Dynacare and to look at how Froedtert monitored to ensure Dynacare complied with any security and breach notification requirements in their contract.
I don’t expect to see anything on the breach from OCR for a long time, as it seems their enforcement actions are generally not very quick.