Healthcare provider to pay US$1m for stolen laptop breach

A Rhode Island healthcare provider has agreed to pay a U$1,040,000 (€906,000) penalty after the theft of an unencrypted laptop.

It was stolen from an employee of Lifespan Health System Affiliated Covered Entity and contained patients’ names, medical record numbers, demographic information, medication information and other data. The breach affected 20,431 individuals.

The health provider will pay the money to the office for civil rights (OCR) at the department of health and human services, and has also agreed to implement a corrective action plan to settle potential violations of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA).

An OCR investigation found there was systemic noncompliance of the rules including a failure to encrypt health information on laptops.

“Laptops, cellphones and other mobile devices are stolen every day, that’s the hard reality,” said OCR director Roger Severino. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.