$1.55 Million HIPAA Fine for Stolen Laptop
The HIPAA violation occurred when a thief stole a laptop from a locked vehicle owed by a contractor. Although the laptop was password protected, it contained individually identifiable personal health information (PHI) of 9,497 individuals. From the public record, there is no indication that any of the personal health information was breached. However, the employer, North Memorial Health Care of Minnesota, failed to have a business association agreement with the contractor’s employer. The contractor, Accretive Health Inc., had access to North Memorial’s hospital database, which stored the electronic PHI (ePHI) of 289,904 patients and there was no business agreement in place. Furthermore, North Memorial failed to complete a risk analysis of the potential security vulnerabilities for the ePHI it maintained. Once again, this huge fine assessed by the Department of Health and Human Services underscores the importance of having business associate agreements with all third party vendors and performing adequate risk assessments.