How can a laptop cost so much? When you lose it and it contains unencrypted health information, that’s how. That’s what the Feinstein Institute for Medical Research learned this month, when it settled an enforcement action brought by the Department of Health and Human Services under HIPAA after the theft of an employee’s laptop containing the protected health information of 13,000 research participants. HHS cracked down hard despite the lack of any reports of unauthorized access to or use of the information, apparently motivated by the Institute’s lack of critical data security policies and its failure to perform a risk analysis. On the same day, a hospital chain in Minnesota agreed to pay $1.55 million to settle claims arising from the loss of a laptop by a business associate. The hospital’s mistake: failing to have a written agreement requiring its business associate to safeguard patient data.