On April 23, 2014, the Department of Health and Human Services (“HHS”) announced settlements with two health care companies stemming from allegations of inadequate information security practices in the wake of investigations involving stolen laptop computers. Concentra Health Services (“Concentra”) and QCA Health Plan Inc. (“QCA”) will collectively pay nearly $2 million to settle the claims.

As reported in Bloomberg BNA, the HHS Office for Civil Rights (“OCR”) opened a compliance review of Concentra after receiving a data breach report that an unencrypted laptop was stolen from one of the company’s facilities. OCR’s investigation found that Concentra had previously recognized that the lack of encryption was a “critical risk,” but the company’s efforts to address the issue were “incomplete and inconsistent over time.” OCR also alleged other insufficient security management processes safeguarding patient information. Concentra agreed to pay $1.7 million and adopt a corrective action plan.

QCA agreed to pay $250,000 and provide HHS with an updated risk analysis and corresponding risk management plan. The company provided OCR with notice of a data breach in 2012 regarding an unencrypted laptop computer that was stolen from a workforce member’s car. OCR’s subsequent investigation led to allegations that the company “failed to comply with multiple requirements” of the HIPAA Privacy and Security Rules from April 2005 to June 2012.