Stolen Laptop Bag Leads to $750,000 Fine for Oncology Group

McGuireWoods LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On September 2, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a substantial settlement with an Indiana-based oncology group, Cancer Care Group, P.C. (CCG). Under the terms of the settlement, the group paid $750,000 in fines and has agreed to adopt a lengthy corrective action plan detailed in a resolution agreement.

The CCG settlement comes after an OCR investigation revealed potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. OCR opened its investigation following a report that a CCG workforce member left a laptop bag unattended in his car, where it was stolen by a third party. The laptop bag included the member’s computer, which was encrypted and did not contain electronic protected health information (ePHI), and a computer server backup media, which was not encrypted and contained the ePHI of approximately 55,000 individuals. The OCR investigation revealed that CCG failed to properly secure the ePHI contained on the backup media, and did not have in place a written policy regarding the removal of hardware and electronic media containing ePHI into and out of its facilities. The investigation also revealed that CCG failed to conduct an assessment or implement policies and procedures addressing the incident. Accordingly, OCR concluded that CCG was in widespread noncompliance with the HIPAA Security Rule.

In addition to paying $750,000, CCG agreed to implement an extensive Corrective Action Plan (CAP). The CAP includes CCG’s commitment to conduct a thorough analysis of security risks and vulnerabilities relating to the storage, transmission and receipt of ePHI and to provide a report to HHS for approval within 90 days. Based on the findings of the report, CCG will review and revise its policies, procedures and training programs, and submit proposed revisions to HHS for review and approval. In addition, CCG has agreed to submit annual reports for three years regarding the status and findings of CCG’s compliance with the CAP.

The recent CCG settlement is another example of increased emphasis that OCR is placing on security of PHI stored electronically. Following this incident, OCR Director Jocelyn Samuels warned that "[o]rganizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information" and advised that “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP
McGuireWoods LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide