CardioNet will pay $2.5 million and implement a corrective action plan as part of a HIPAA settlement to resolve its alleged disclosure of unsecured electronic protected health information.
The Malvern, Pa.-based company provides remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, marking the first HIPAA settlement involving a wireless health services provider. CardioNet in January 2012 reported the theft of a workforce member's laptop to the HHS Office for Civil Rights. The laptop contained ePHI related to 1,391 individuals.
OCR's investigation found CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. It also determined CardioNet did not implement the HIPAA Security Rule, and its policies and procedures for implementing the rule were in draft form. CardioNet was unable to produce final policies or procedures regarding safeguards for ePHI.
"Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss," said Roger Severino, JD, director of OCR. "Failure to implement mobile device security by covered entities and business associates puts individuals' sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected."
Click here to view the HHS release.
Editor's note: Becker's Hospital Review reached out to CardioNet for comment and will update as more information is available.