Lahey Hospital and Medical Center in Burlington, Mass., has agreed to pay $850,000 to settle potential HIPAA violations with HHS' Office of Civil Rights for a 2011 data breach.
In August 2011, a laptop that accompanied a portable CT scanner was stolen from an unlocked treatment room. The laptop operated the scanner and produced images for Lahey's radiology information system and picture archiving and communication system. The hard drive on the laptop contained protected health information of 599 individuals.
Lahey notified OCR, and the agency's subsequent investigation discovered "widespread non-compliance with the HIPAA rules," such as failing to conduct a thorough risk analysis of its electronic PHI, failing to physically safeguard a workstation that accessed electronic PHI, lacking a unique username for tracking user identity with this particular workstation and the impermissible disclosure of PHI, among others.
"It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment," said OCR Director Jocelyn Samuels. "Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity's risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA's standards are in place."
In addition to the monetary settlement, Lahey will also adopt a corrective action plan to correct any holes in its HIPAA compliance program.
More articles on data breaches:
Quest Diagnostics faces class action lawsuit following data breach: 3 things to know
11 latest healthcare data breaches
[Infographic] The state of healthcare data privacy: 5 key findings