A Rhode Island health system must pay a $1M fine after the theft of an un-encrypted laptop. The U.S. Department of Health and Human Services (HHS) began investigating the health system in 2017 after the covered entity filed a HIPAA breach notification due to the theft of an employee’s laptop from a car in a public parking lot. The laptop contained names and medical information of 20,431 patients.
HHS determined that the health system failed to encrypt employees’ mobile devices and did not enter into business associate agreements with third parties who had access to medical information. The health system will be monitored for two years by HHS, must enter into a corrective action plan and will pay a $1M fine.
This incident is a reminder to covered entities to make sure devices are properly encrypted. The theft of an encrypted laptop would not be a HIPAA breach if information on the laptop could not be accessed.
