• linkedin
  • Increase Font
  • Sharebar

    Derm practice pays $150K settlement for stolen patient data

    DT-eNews-Issue_402.jpg

     

    A Massachusetts dermatology practice has agreed to pay a $150,000 settlement to the federal government, the result of an unencrypted thumb drive containing patient data being stolen from a staff member’s car.

    Adult & Pediatric Dermatology, of Concord, Mass., agreed Dec. 24 to settle the potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and must enact an action plan to correct deficiencies in its HIPAA compliance program, the Department of Health and Human Services (HHS) announced in a news release.

    The theft occurred in September 2011, when an unencrypted thumb drive was taken from a practice employee’s car. The thumb drive contained electronic protected health information (ePHI) of about 2,200 patients who had undergone Mohs surgeries. The dermatology practice advised its patients of the theft within 30 days of the incident; the thumb drive was never recovered.

    Despite the theft, HHS determined that the dermatology practice failed to conduct an “accurate and thorough” analysis of its potential vulnerabilities and risks related to confidentiality of the ePHI until more than a year after the theft, in October 2012.

    Additionally, the HHS stated the dermatology practice neglected to fully comply with requirements of the Breach Notification Rule until February 2012. Compliance with that rule calls for written policies and procedures and training for employees regarding the Breach Notification requirements. The agreement isn’t an admission of liability by the dermatology practice.

    “As we say in healthcare, an ounce of prevention is worth a pound of cure,” Leon Rodriguez, director of the HHS Office for Civil Rights, stated in the news release. “That is what good risk management is all about — identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”

    1 Comment

    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • Anonymous
      When the government does something, it may be often motivated by corruption, but otherwise fanatics are usually in control. If no damage happened to any patients, maybe $150,000 was quite a bit of a heavy hit. Gee, a firing squad would work even better? "First do no harm", never applies to governments, unfortunately.

    Latest Tweets Follow