Oncology group slapped with a $750K fine for losing its patients’ data

Oncology group slapped with a $750K fine for losing its patients’ data

Cancer Care Group, one of the largest oncology radiation practices in Indianapolis has recently agreed to settle and pay a hefty amount of $750,000 as fine to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) for violation and non-compliance of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The breach took place in 2012 when a laptop was stolen from an employee’s car that was left unattended. The laptop contained all sensitive information like protected health information, Social Security numbers, date of birth, insurance data etc. of 55,000 current and former patients at Cancer Care. Not only was the data unencrypted, there was also no risk-management policy in place to take measures in cases of such contingencies. Cancer Care lacked in providing any written policy with respect to any hardware or electronic media that would be removed from the Electronic Protected Health Information (ePHI) facility and even if it did, then it lacked the possible outcome in such cases. Further investigation by HHS revealed that Cancer Care had failed to maintain the security of the data of its patients and comply with the Security Rule as per Title II of HIPAA since 2005, when the compliance came into effect.

In being defensive, representatives of Cancer Care contended that the motive of theft did not seem to be one of back-up media and immediate actions were taken if at all it was a theft. Police report was filed and employees were notified.

However, the matter is settled by Cancer Care with the OCR agreeing to pay a fine of $750,000 along with signing of an agreement to get a risk management policy in place (See Resolution Agreement).[1] Cancer Care has signed this agreement with OCR that shall be submitted to OCR for approval within 90 days of the signing of the Agreement. The policy shall take effect once the OCR approves it. Also, Cancer Care shall take corrective action in order to comply with the specific HIPAA Security Rule as well as the other provisions of the HIPAA Rules, with respect to securing health care data in the future including encrypting mobile storage devices, upgrading data storage equipment and revising policies and procedures.

One security breach for Cancer Care has landed it in a series of policy and security checks by the OCR to ensure that all the policies are in place and there is a diligent risk management action ready to take care of any further breaches for considerable number of years to come.