The radiation oncology private practice Cancer Care Group (CCG), which has 13 radiation oncologists serving hospitals and clinics throughout Indiana, notified the HHS Office for Civil Rights (OCR) in 2012 about a security breach after an employee’s laptop bag was stolen. The bag contained unencrypted backup media, with the names, addresses, birth dates, Social Security numbers, insurance information, and clinical information of about 55,000 current and former CCG patients.
Related: A Medical Tower of Babel
An investigation revealed that CCG had been in “widespread noncompliance” with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred and did not have a written policy covering the removal of hardware and electronic media containing electronic protected health information from its facility.
Related: Getting Along With Electronic Technology—Safely
The OCR found that 2 issues in particular contributed to the breach: Risk analysis could have identified the removal of unencrypted backup material as a significant risk, and a comprehensive policy about device and media control could have clarified guidance for employees.
The case was recently settled. Cancer Care Group paid OCR $750,000 and will adopt a “robust corrective action plan” to remedy the deficiencies.
Related: The Use of Secure Messaging in Medical Specialty Care
To keep other health care practices from making similar mistakes, HHS offers help for conducting a HIPAA Risk Analysis at http://www.healthit.gov/providers-professionals/security-risk-assessment, with videos and a downloadable security risk assessment tool.