Cancer Care Group, a radiation oncology practice in Indiana, paid $750,000 to settle potential violations of the Health Insurance Portability and Accountability Act.
HHS' Office for Civil Rights said Wednesday that it was made aware of a breach at the Indianapolis-based company on Aug. 29, 2012. Someone had stolen an employee's computer and unencrypted backup data, which included unsecured information protected under HIPAA.
The stolen data included names, addresses, dates of birth, Social Security numbers, insurance information and clinical data for about 55,000 current and former patients of the practice. HHS later found that Cancer Care had also failed to comply with HIPAA's security rule, which requires organizations to employ appropriate safeguards to protect against a possible breach.
Cancer Care had not conducted a risk analysis of the company's information security policies and did not have a written policy for taking hardware and disks containing protected health information out of the office, the agency said. Nonetheless, employees frequently brought laptops and disks in and out of the office.
The practice group did not admit liability in the agreement, but it has agreed to adopt a corrective action plan to correct its compliance issues. The plan includes a businesswide risk analysis, the development of risk management to mitigate any vulnerabilities found and a review of the company's current information security training program.
In July, St. Elizabeth's Medical Center in Brigton, Mass. agreed to pay a $218,400 settlement to the feds for potential violations of HIPAA privacy and security rules. HHS signaled this year that it wants to work more closely with software developers to educate them on HIPAA, and pledged to update guidance on HIPAA rules regarding cloud storage of health information.