For the first time, a small data breach draws a big fine ($50K)

Idaho hospice to pay $50,000 for HIPAA violation

Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such penalty involving fewer than 500 data-breach victims.


The data was unencrypted.

The Department of Health and Human Services (HHS) announced last week that it has reached an agreement with the Hospice of North Idaho that will see the hospice pay $50,000 for violating the Health Insurance Portability and Accountability Act (HIPAA).

"This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." said HHS Office of Civil Rights Director Leon Rodriguez in a press release. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

While the hospice's failure to encrypt patient data is egregious by any measure, you can count me among those wondering if perhaps HHS could have found a less sympathetic violator to hold up as an example. From the organization's website: "Hospice of North Idaho cares for thousands of our neighbors and loved ones each year with a staff of over 100 and a volunteer force nearly double that.  ... Hospice of North Idaho provides services for over 50% of our dying in Kootenai County; it is the community leader for hospice and palliative care."

According to an article in The Spokesman-Review, the laptop was stolen from a hospice worker's car, and although the thief was apparently apprehended, the computer was not recovered. Amanda Miller, a spokeswoman for the hospice, told the newspaper that there was no evidence that any patient information had been abused.

"As a nonprofit, $50,000 is a lot of money and we are being extra resourceful right now to account for this settlement cost," (Miller) said.

"Hospice of North Idaho conducted a thorough risk analysis as a part of its security process, increased security measures on all equipment containing patient information, and adopted stronger security policies and procedures to ensure the safety of patient health information," Miller said. "Other measures taken were the encryption of all laptops, stronger password enforcement, and HIPAA privacy and security training on a scheduled basis."

The full agreement between the government and the hospice center can be read here.

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)