The U.S. Department of Health and Human Services (HHS) announced today a $750,000 HIPAA settlement with a radiation oncology practice located throughout Indiana, following the theft of a single laptop and backup media in 2012. The equipment contained names, social security numbers, and other protected health information for 55,000 individuals. Of interest is the emphasis by HHS not on the size of the breach, but the practice’s failure to conduct an enterprise-wide risk analysis or develop policies addressing portable media before the loss.
In short, the practice faced these fines because of a lack of preparation and risk assessment. While a $750,000 fine for loss of 55,000 records (i.e., over $13 per record) is significant, total costs arising from the loss are likely far in excess when taking into account costs of notification, providing identity theft protection, costs for lawyers, IT forensics and other consultants, potential suit, loss of productivity and other costs. The Ponemon Institute projects that the average cost of a data breach is now $3.8 million, or around $194 per record.*
The settlement underscores important actions to take to avoid HIPAA and other liability:
- Security breaches will happen. Planning how to prevent and address them is critical.
- Regular, thorough, enterprise-wide risk assessments are necessary to avoid potential liability and to reduce liability once a breach occurs.
- A risk analysis is useless, however, if it is not followed by a risk management strategy.
- HHS looks closely at policies and procedures, which need to reflect risks found in the risk assessment and fit into the risk management strategy. Of course, you must also show that employees and others abide by those policies.
- Encrypt all portable media that has PHI. If the laptop and media stolen in this case had been encrypted in accordance with NIST standards, there likely would have been no liability. An important part of any encryption strategy is to keep a complete inventory of all electronic devices.