Healthcare provider to pay US$1m for stolen laptop breach

A Rhode Island healthcare provider has agreed to pay a U$1,040,000 (€906,000) penalty after the theft of an unencrypted laptop.

It was stolen from an employee of Lifespan Health System Affiliated Covered Entity and contained patients’ names, medical record numbers, demographic information, medication information and other data. The breach affected 20,431 individuals.

The health provider will pay the money to the office for civil rights (OCR) at the department of health and human services, and has also agreed to implement a corrective action plan to settle potential violations of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA).

An OCR investigation found there was systemic noncompliance of the rules including a failure to encrypt health information on laptops.

“Laptops, cellphones and other mobile devices are stolen every day, that’s the hard reality,” said OCR director Roger Severino. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.