Rhode Island-based health system pays over $1 million to OCR to settle stolen laptop breach

Lifespan Health System, a Rhode Island-based healthcare provider, agreed to pay $1.04 million to the Office for Civil Rights (OCR) and implement a corrective action plan to settle potential HIPAA violations, OCR announced on July 27.

The penalty stems from the theft of an unencrypted laptop.

Lifespan Corporation, the parent company and business associate of Lifespan Health System, filed a breach report with OCR on April 21, 2017 regarding the theft of a laptop when an employee’s car was broken into, according to the resolution agreement between Lifespan and OCR. The laptop contained electronic protected health information (ePHI) including names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.

The subsequent OCR investigation found that Lifespan failed to implement policies and procedures to encrypt all devices used for work purposes and to track or inventory all devices that access the network or which contain ePHI. OCR also found that Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates.

In addition to the $1.04 million payment, Lifespan agreed to take a number of corrective actions, including revising its business associate policies. Going forward, Lifespan must designate at least one individual to ensure that the organization enters into business associate agreements with its business associates. It must also develop a process for evaluating business relationships and determining which vendors should be considered business associates.

Lifespan also agreed to upgrade its encryption protocol. Within 90 days of the agreement, Lifespan is required to provide proof of its encryption and access controls via a written report to HHS. The report must include the total number of Lifespan devices and equipment such as desktop computers, laptops, and mobile phones that may be used to access, store, download, or transmit ePHI. Evidence of encryption for these devices must be provided.

The corrective action plan includes two years of monitoring from HHS.