HHS announced today that it resolved a HIPAA security breach matter with two Massachusetts providers for $1.5 million. In compliance with the Breach Notification Rule, the Massachusetts providers reported the theft of an unencrypted laptop containing ePHI. Lest there be any lingering doubt as to the importance of compliance with the Security Rule, OCR Director Leon Rodriguez stated "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices . . . This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.” In addition to the settlement payment, the Massachusetts providers agreed to a corrective action plan that will be overseen by an independent monitor for the next three years.