Oncology group pays $750k HIPAA violation settlement

Indianapolis-based Cancer Care Group has agreed to pay $750,000 to settle potential HIPAA violations with HHS' Office for Civil Rights following a 2012 data breach that compromised the protected health information of approximately 55,000 individuals.

In August 2012, Cancer Care, a radiation oncology private physician practice, notified OCR that a laptop bag containing a computer and unencrypted backup media had been stolen from an employee's car. The computer and backup media contained patient names, addresses, birth dates, Social Security numbers, insurance information and clinical information.

The OCR's investigation into the breach found that Cancer Care was in "widespread non-compliance" with HIPAA, as the group had not conducted an enterprisewide risk analysis when the breach occurred, nor did it have a written policy pertaining to the removal of hardware and electronic media containing PHI from its facilities. The investigation determined these two elements contributed to the breach, as both could have prevented or lessened the risk of the breach.

"Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," said OCR Director Jocelyn Samuels. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."

In addition to paying the settlement, Cancer Care has taken corrective action to become HIPAA-compliant.

More articles on HIPAA:

Who do practitioners feel poses the greatest threat for HIPAA breach? 6 survey findings
HHS: Guidance on HIPAA basics
16 latest updates on data breaches, privacy incidents and HIPAA violations

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars