Lifespan Health System Affiliated Covered Entity, a not-for-profit Rhode Island health system that's part of Lifespan Corp., has agreed to pay HHS' Office for Civil Rights $1.04 million, the agency announced Monday.
OCR imposed the fine on Lifespan ACE to settle possible HIPAA violations related to an unencrypted laptop that was stolen in 2017.
"Laptops, cellphones and other mobile devices are stolen every day, that's the hard reality," OCR Director Roger Severino said in a statement. "Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves."
In April 2017, Lifespan Corp. reported a data breach to OCR after an employee's personal laptop was stolen during a car break-in in February of that year. The stolen laptop was unencrypted and had access to work emails containing patient names, medical record numbers, demographic information and medication information.
Lifespan Corp. reported the data breach affected an estimated 20,431 patients.
OCR's investigation into the incident found "systemic noncompliance with the HIPAA Rules," including failure to encrypt patient data on laptops and lack of device controls.
The agency also determined Lifespan ACE did not have a business associate agreement in place with Lifespan Corp., its parent company.
In addition to the monetary settlement, Lifespan ACE will also implement a corrective action plan, which includes HHS monitoring the health system's compliance with HIPAA for two years.
There's no evidence to suggest patient data was accessed or misused as a result of the 2017 data breach, according to a statement from a Lifespan spokesperson.
"Lifespan takes these situations very seriously and deeply regrets the incident occurred," the statement reads. "Both prior to the incident and over the past three years we have taken several steps to further enhance our tactics to protect the security and confidentiality of patient information."
Lifespan ACE's fine is the largest HIPAA settlement announced by OCR this year.
Last year, OCR slapped University of Rochester Medical Center with a $3 million fine in response to multiple instances of the health system failing to encrypt mobile devices.