Concentra Health Services, Addison, Texas, a subsidiary of Humana and a provider of occupational medicine and other health services, has agreed to pay more than $1.7 million in a federal Health Insurance Portability and Accountability Act privacy and security rule settlement, HHS' Office for Civil Rights announced.
In addition, QCA Health Plan of Arkansas in Little Rock agreed to pay $250,000 in a similar settlement, the civil rights office reported in a news release.
Both cases are linked to thefts of laptop computers that lacked data-protecting encryption, according to the agency, which has enforcement authority over HIPAA's privacy and security rules.
The civil rights office launched its investigation of Concentra after receiving a report of a breach incident at its Springfield, Mo., physical therapy center, according to the statement.
The “investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk,” the Office for Civil Rights said. “While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI (protected health information) vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information.”
