Lahey Hospital and Medical Center has agreed to pay $850,000 in a settlement with HHS' Office for Civil Rights to resolve alleged privacy and security violations stemming from the theft of a laptop computer with unencrypted patient records.
The Burlington, Mass.-based health system also entered into a corrective action plan to address other privacy and security issues raised during the breach investigation.
According to a 10-page settlement agreement, Lahey reported to the federal agency on Oct. 11, 2011, that an unencrypted laptop used with a computerized tomography scanner had been stolen from an unlocked treatment room in Lahey's radiology department.
Lahey “impermissibly disclosed” electronic medical records of 599 individuals “for a purpose not permitted by the privacy rule” under the Health Insurance Portability and Accountability Act, the agency alleges in the agreement. The Civil Rights Office is the primary federal enforcement agency for privacy, security and breach notification rules under HIPAA.
The agency also alleged that Lahey had failed to meet a number of other HIPAA requirements, including not conducting “an accurate and thorough” security risk analysis, failing to assign “a unique username for identifying and tracking user identity” on the stolen computer and failing to “implement a mechanism to record and examine activity” on the computer.
The Lahey settlement comes just a couple of months after Cancer Care Group, a radiation oncology practice in Indiana, paid $750,000 to settle potential HIPAA violations also involving a stolen computer and storage media holding about 55,000 patient records.
According to the Civil Rights Office's list of major breaches involving the medical records of 500 or more individuals, the records of more than 154.1 million individuals have been exposed in 1,401 incidents since records started being kept in September 2009.