50K Penalty After 441-Patient HIPAA Breach

by | Jan 3, 2013

According to Health Insurance Portability and Accountability Act (HIPAA) regulations, healthcare organizations must report data violations involving more than 500 people to the Office of Civil Rights and financial sanctions apply for HIPAA breaches; however security breaches involving fewer people can still result in fines being applied.

In 2010, a laptop computer was illegally obtained from a community non-profit hospice in Hayden, North Idaho. The laptop stored the PHI of 441 patients including Social Security numbers, medical test details, diagnoses, medications issued and other protected patient information. The laptop was given to a nurse from the Hospice of North Idaho who took it home with her at the weekend and left it in her car where it was then taken from.

When data breaches affect more than 500 patients the incident must be mad known to the OCR promptly; however since this incident involved just 441 patients, the report of the theft and data breach was not provided to the OCR until the year end; as required under HIPAA breach notification regulations.

Upon identification of the theft and potential exposure of patient data, the hospice carried out an investigation and put in place strategies to mitigate any damage caused. This involved getting in touch with all 441 patients to tell them that the data had possibly been viewed and free credit monitoring services were provided to the patients concerned. The families of deceased patients were assigned a personal recovery counselor and given family support.

A risk assessment was completed following the theft and industry experts were employed to review the IT systems at the hospice. The services which were being outsourced at the time that the theft happened were also replaced. While all reasonable steps were taken to lessen the damage caused by the breach and to adhere with HIPAA regulations, when the OCR conducted its investigation non-compliance issues were noticed.

The OCR ruled that no risk assessment had taken place before the theft, which was a direct breach of HIPAA regulations. Additionally the hospice had not to implemented appropriate policies and procedures in line with the HIPAA Security Rule and did not take adequate actions to protect data stored on mobile devices.

Negotiations between the hospice and the OCR lead to a settlement of $50,000 being agreed, with the relatively small fine issued due to the prompt action taken by the hospice to address poor data security. The fine could have been much higher, although $50K is a  significant cost to cover by a small non-profit organization. It will now have to  carry out an extensive fundraising campaign to recover the loss.

The OCR also implemented a corrective action plan with a requirement that any future data breaches – of any size – be made known to the OCR within 30 days, which must also be accompanied by specific details of the actions taken to mitigate the damage inflicted.

This incident should serve as a warning to healthcare organizations of all sizes that a failure to adhere with HIPAA guidelines, including the Security Rule, will lead to financial penalties being issued far in excess of the cost of ensuring HIPAA compliance initially. It also shows the massive effort with which the OCR is pursuing offenders and enforcing regulations.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy