On April 24, the U.S. Department of Health and Human Services (HHS) announced that its Office for Civil Rights (OCR) reached a settlement with CardioNet, a provider of wireless cardiac monitoring services, arising out of alleged violations of the HIPAA Privacy and Security Rules. HHS called the settlement the first involving a wireless health services provider.
CardioNet notified OCR of two breaches of unsecured ePHI in 2012, arising out of a stolen laptop, which affected several thousand patients in total. OCR’s investigation found that CardioNet had inadequate risk analysis and risk management procedures in place, which put patients’ health information at risk, and had never finalized and implemented its Security Rule policies and procedures.
In its Resolution Agreement with OCR, CardioNet agreed to pay a $2.5 million fine and implement a corrective action plan that includes a comprehensive risk analysis and risk management plan to be approved by OCR. This settlement illustrates OCR’s intolerance for the continuing risk associated with unencrypted mobile devices, particularly in the absence of adequate risk assessments.