In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

  • The Physician Group did not conduct “an accurate and thorough” risk assessment;  
  • The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
  • This is a notable fine for a Physician Group of less than 20 physicians.