HIPAA breaches not only take a hit to your organization’s reputation and can result in an administrative nightmare. They can also cost a pretty penny, as one Boston-based hospital is realizing this month.
Beth Israel Deaconess Medical Center will now pay $100,000 to the state of Massachusetts after one of its physicians failed to follow the hospital’s laptop encryption policy and an unencrypted laptop was stolen.
The laptop, which contained the protected health information of nearly 4,000 BIDMC patients and employees, was not hospital issued, state officials pointed out, but the hospital was aware the physician was using the laptop.
[See also: Group slapped with $6.8M HIPAA fine.]
What’s more, the theft occurred in May 2012, and the hospital did not notify patients of the HIPAA data breach until three months following the event. Federal HIPAA regulations require that covered entities notify those affected no more than 60 days following breach discovery.
The $100,000 settlement includes a $70,000 civil penalty, $15,000 in attorney fees and associated costs and a $15,000 payment to educational programs related to protecting personal health information.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” Massachusetts Attorney General Martha Coakley said in a Nov. 21 statement. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”