Cancer Care Group, an Indianapolis based Oncology practice learned a lesson the hard way.
They allowed an employee to have an unencrypted laptop and a server in his car, from which both computers were stolen.
They discovered that the computers contained protected health information – social security numbers and insurance data for 55,000 patients.
The practice was in general denial regarding the HIPAA security rule – they had no written policy regarding removal of electronic media from the premises and did not conduct an enterprise risk assessment after the computers were stolen.
Now, as a result of this settlement, besides being $750,000 poorer, they will now have a partner in their security program – Health and Human Services. HHS will need to approve their corrective action plan and review all those procedures that they did not have in place.
HHS is someone I would prefer NOT to have as my security partner.
Deal with it now or deal with it later. Later is likely to be more expensive.
Information for this post came from Health Care News.