Cancer Care Group, PC based in Indiana entered into a settlement agreement with the U.S. Department of Health and Human Services over a HIPAA breach. The group will have to pay $750,000 and undergo HIPAA compliance measures.
The breach dates back to 2012 when HHC received notice from Cancer Care Group that a laptop bag was stolen from an employee’s car. The bag contained an employee’s computer, along with unencrypted backup media holding the name, address, date of birth, Social Security number, insurance information and clinical information of about 55,000 Cancer Care Group patients.
HHS investigated the incident and found that the group was not complying with the HIPAA Security Rule. Specifically, the group did not perform a risk assessment, did not have policies for removal of data and did not have media controls in place.
Cancer Care Group, in addition to paying a penalty, has taken corrective action to comply with the HIPAA Privacy and Security Rules.