Lahey Hospital and Medical Center has agreed to pay $850,000 in a settlement with HHS' Office for Civil Rights to resolve alleged privacy and security violations stemming from the theft of a laptop computer with unencrypted patient records. The Burlington, Mass.-based system also entered into a corrective-action plan to address other privacy and security issues raised during the breach probe.
According to the settlement, Lahey reported to the federal agency on Oct. 11, 2011, that an unencrypted laptop used with a CT scanner was stolen from an unlocked treatment room in Lahey's radiology department.
Lahey “impermissibly disclosed” the electronic medical records of 599 individuals “for a purpose not permitted by the privacy rule” under the Health Insurance Portability and Accountability Act, the agency alleges in the agreement.
It also alleged that Lahey failed to meet other HIPAA requirements, including not conducting “an accurate and thorough” security-risk analysis, failing to assign “a unique username for identifying and tracking user identity” on the computer, and failing to “implement a mechanism to record and examine activity” on the computer.