Connecticut OIG Makes $90K Pact with Hartford Hospital and BA Over 2012 Laptop Theft

Hartford Hospital as well as one of its BAs, EMC Corporation (EMC), have contracted to a settlement with the Connecticut OIG on the 2012 thievery of a laptop having the unencrypted files of 8,883 Connecticut inhabitants. Hartford Hospital and EMC have contracted to a payment of $90,000 to settle the happening. The contract was reached willingly, and no confession of responsibility has been acknowledged by either party.

EMC was hired by Hartford Hospital to help with the end of a quality enhancement task in late December 2011. The objective of the project was to eventually decrease preventable hospital entries with patients suffering from choking heart stoppage. The project needed EMC to carry out an examination of patient files, and EMC was provided with the PHI of patients for this reason.

Nevertheless, on June 25, 2012, an unencrypted laptop having patient files was thieved from the residence of an EMC worker. According to Hartford Hospital, the data doesn’t seem to have been used inappropriately.

A day later, after being informed of the theft, Hartford completed its break response procedures; informed the Connecticut OIG, the Department of Health and Human Services’ OCR, sent break notice letters to all impacted patients as well as displayed a break notification on its websites. All prerequisites of the HIPAA’s Break Notification Law were fulfilled well within the required duration.

A lot of security measures were applied after the data break to decrease the risk of a similar episode happening again. Additional HIPAA training was organized for the workforce, business managers got additional training (using the latest training module upgraded post-breach) and impacted patients were provided with credit checking services to make sure they didn’t suffer losses. As is the custom after happenings like this, police officers were not able to find the thieved laptop and it hasn’t been regained since.

Nevertheless, HIPAA Laws were breached as Hartford Hospital could not obtain a signed BAA with EMC before Protected Health Information being provided. This has been a condition since Feb 18, 2010, after the introduction of the HITECH Law. All Business Associates should initial a BAA and agree to abide by the HIPAA Secrecy and Safety Law. It was this, as well as the failure to encrypt data that led to a financial fine being necessary. The agreement was reached because it was for the benefit of all parties to decide the matter.

The agreement also demands Hartford Hospital to carry on to check conformity with HIPAA as well as state rules. Rational security plans will be maintained to safeguard the PHI of patients, and if possible, PHI will be encrypted on all moveable devices. The healthcare supplier has also agreed to carry on with its plan of staff training on secrecy and safety matters. Regular evaluations of EMC’s plans will also be made. Hartford will also make sure that a BAA is in place for all freelancers necessary to come into contact with PHI.

EMC will also encrypt data on movable devices, if possible and correct, and has consented to take the required steps to protect PHI as per HIPAA Laws, as well as providing education to its workers.

The agreement resolves all problems with the Conn. OIG, however, that doesn’t mean this is the conclusion of the report. The OCR will have likewise probed the event for suspected HIPAA breaches, and might well take the conclusion to issue a fiscal fine of its own. Both the BA as well as Hartford Hospital could possibly be penalized by the OCR for breaking HIPAA Laws.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.