Lahey Clinic Hospital, Inc. (Lahey) agreed to an OCR HIPAA settlement resulted due to an incident where an unencrypted laptop was stolen. It potentially compromised the PHI of 599 individuals. The settlement costs Lahey Hospital $850,000 and must also enter into a Corrective Action Plan (CAP), which includes “a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey.”
The device was taken from an unlocked treatment room “off of the inner corridor” in the hospital’s radiology department.The OCR investigation found that Lahey failed to implement the necessary physical safeguards for a workstation that houses ePHI, and that it “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”
OCR also mentioned the following results from its investigation:
- With respect to the workstation, Lahey failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility
- Lahey failed to assign a unique user name for identifying and tracking user identity with respect to the aforementioned workstation
- Lahey did not implement a mechanism to record and examine activity on the workstation at issue in this breach
- Lahey impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule
- Lahey must also provide proper training to workforce members who access ePHI, ensuring that they are aware of all policy and procedures in place to keep it safe.
- Lahey must also keep a record of the “receipt, removal, and disposition of hardware and electronic media that maintain ePHI into and out of” the hospital, as well as the movements within the facility.
- Lay should develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis.The risk analysis report must be sent to HHS within 270 days of Lahey being asked to send it, OCR writes.
“Upon receiving HHS’s notice of required revisions, if any, Lahey shall have ninety (90) days to revise the risk analysis and risk management plan accordingly and forward to HHS for review and approval,” the settlement reads.
Alertsec strengthens security
Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.
Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.
Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.