[ Friday, July 18, 2008 ]
Way back in 2006, I reported
(and kept you all well updated
) on an attempted laptop theft involving medical records on home health patients at Providence Health System in Oregon. An employee took home disks with patient records on them for "safekeeping," but locked them up, in one of those laptop travel cases, in his car in the driveway. Some crackhead broke into the minivan and stole the laptop case (and all the disks). Heads rolled, lawsuits were filed, but as I suspected, no actual identity theft or other nefarious injuries were suffered by any of the patients whose data was lost.
Well, Providence has now settled with HHS over the HIPAA breach, and agreed to pay a $100,000 fine, plus institute policies to this won't happen again. The HHS announcement is here
, and the Resolution Agreement is here
. (actually, the Resolution Agreement hasn't been posted yet, but that's the link on the HHS HIPAA page.) A couple of fine points: the $100,000 is a "settlement amount," not a civil penalty. I'll wait to see the Resolution Agreement, but I think they don't want to get into whether the breach met any of the particulars for the levels of civil or criminal fines, since HHS doesn't want to tie its hands in the case of future prosecutions. HHS really thought Providence assisted in the investigation and did the right thing, so they wanted to treat them well for that. And the primary emphasis of the settlement was requiring Providence to fix their policies and procedures, including I suspect requiring them to encrypt information, to ensure that it doesn't happen again.
The HHS announcement indicates that laptops were stolen; that doesn't jibe with the original story, which was that only disks and tapes were taken. If a laptop were taken, the odds definitely increase that identity theft might occur: the thief is still just stealing the laptop for it's hardware value, and a fence/purchaser would be motivated to make sure the laptop was completely and totally scrubbed of information on it, so it couldn't be traced back to the original theft victim; but he'd still have access to the information in the process of scrubbing, and might peek to see if it's valuable. If the thief just finds cds and tapes, he's probably just going to dump them in the trash somewhere where they definitely won't be found, since they don't have resale value. Regardless, the thief, and the people who gain possession through him, are incentivized to destroy the information, not keep it and use it. Furthermore, there does not seem to be any indication in any of the news reports that the information was actually used for identity theft, which bolsters my suspicion that the data was trashed. Not a good reason to let Providence off the hook, and a $100,000 fine ain't chicken feed. I don't know the status of the civil suit, but I suspect there's going to be a problem with proving damages.
Here are some more news reports
on the settlement.
UPDATE: The Resolution Agreement is now posted, and it turns out that on 4 different occasions, laptop computers of Providence were stolen, each containing ePHI. That certainly adds a whole new wrinkle to the story.
Jeff [9:18 AM]
Blogger: HIPAA Blog - Edit your Template