Laptop theft proves costly
Hospice of North Idaho to pay feds $50,000
December 29, 2012
Hospice of North Idaho will pay $50,000 as part of a settlement with the federal government regarding a stolen laptop computer that contained patient information.
Amanda Miller, a spokeswoman for the hospice in Hayden, said there is no evidence patient information was lifted from the computer and used. The breach, however, violated the Health Insurance Portability and Accountability Act.
The settlement is with the U.S. Department of Health and Human Services Office of Civil Rights, which was informed of the theft right after it happened, Miller said.
A burglar stole the computer from a home hospice worker’s car, she said. Though the thief was caught, the laptop was never recovered.
An internal review resulted in new security policies for the organization.
“Hospice of North Idaho conducted a thorough risk analysis as a part of its security process, increased security measures on all equipment containing patient information, and adopted stronger security policies and procedures to ensure the safety of patient health information,” Miller said. “Other measures taken were the encryption of all laptops, stronger password enforcement, and HIPAA privacy and security training on a scheduled basis.”
Patients whose information was on the laptop were notified and offered credit monitoring. Hospice also hired information technology and human resource experts – two services that were previously outsourced.
Miller said the nonprofit will pay the $50,000 out of its operating budget.
“As a nonprofit, $50,000 is a lot of money and we are being extra resourceful right now to account for this settlement cost,” she said.
Hospice of North Idaho reported $8.86 million in revenue with a $700,000 margin in 2010, according to its most recent available federal tax filing.
Miller credited the settlement sum – a fraction of what HIPAA violations have cost some health providers – to quick response and strict security measures at Hospice of North Idaho.
In March, Blue Cross Blue Shield of Tennessee paid a $1.5 million settlement after 57 unencrypted computer hard drives were stolen from a facility.
A June settlement required the Alaska Department of Health and Social Services to pay $1.7 million after just one portable hard drive containing patient data was stolen from an employee’s vehicle.
Brenda Wild, Hospice of North Idaho board president, said the board takes the fine seriously.
“The theft of the laptop was out of our hands, but the measures we have taken since then to ensure the security and privacy of our patients’ information have been numerous,” she said.