Malvern PA: Stolen Laptop Leads to $2.5 Million HIPAA Breach Penalty
The theft of a laptop computer containing information of nearly 1,400 patients was among two HIPAA breaches that led a Pennsylvania provider of remote heart monitoring to pay $2.5 million, federal authorities said this week.
Malvern-based CardioNet, Inc., essentially had no process at all for securely managing electronic protected health information (ePHI) of the patients it was hired to monitor, at the time the breaches occurred in early 2012, according to investigators from the U.S. Department of Health and Human Servicesâ Office of Civil Rights (OCR).
CardioNet â a covered entity â was found to have insufficient risk analysis and risk management processes, in violation of the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA).
âCardioNetâs policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,â OCR officials said in a statement. âFurther, the Pennsylvaniaâbased organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.â
On its website, CardioNet is described as the worldâs leading supplier of mobile cardiac outpatient telemetry.
âCardioNet provides the next-generation ambulatory cardiac monitoring service with beat-to-beat, real time analysis, automatic arrhythmia detection and wireless ECG transmission,â the website says. âCardioNet prides itself with helping clinicians prevent morbidity, mortality and disability with rapid diagnosis and treatment of patients with cardiovascular disease.â
The first reported breach occurred on Jan. 10, 2012, when a laptop containing the ePHI of 1,391 people was stolen from a car parked outside of a CardioNet employeeâs home.
âMobile devices in the health care sector remain particularly vulnerable to theft and loss,â OCR director Roger Severino said in a statement.
âFailure to implement mobile device security by Covered Entities and Business Associates puts individualsâ sensitive health information at risk,â the statement continued. âThis disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.â
OCR did not provide details of the second â larger â breach, which occurred on Feb. 27, 2012, and compromised the ePHI of 2,219 individuals.
An email sent to the OCR press office was not immediately returned.
CardioNetâs settlement brings the amount of HIPAA breach payments collected by OCR thus far this year to $14.3 million.
Last year, the agency collected a record $23.5 million, up from $6.2 million in all of 2015.