On July 10, 2015, the Office for Civil Rights (OCR) announced a HIPAA settlement with St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital in Brighton, Massachusetts. SEMC has agreed to pay $218,400 and adopt a robust corrective action plan.
The settlement is the result of two alleged violations. First, SEMC workforce members filed a complaint of a HIPAA violation with the OCR in late 2012, alleging that workforce members used an internet-based document sharing application to store documents that contained the electronic protected health information (EPHI) of almost 500 individuals. OCR determined that in addition to the document storage issue, SEMC failed to timely identify and respond to this known security incident, mitigate the harm, and document the incident and its outcome. Second, in an unrelated event, on August 24, 2014, SEMC reported a breach of unencrypted EPHI contained on a laptop and USB flash drive of a former SEMC workforce member, which affected 595 individuals.
In the settlement SEMC did not admit to any violations. In its announcement of the settlement, the OCR emphasized that organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In addition, this settlement is one of many examples of a breach caused by unencrypted mobile devices.