Conn. OIG Reaches $90K Settlement over 2012 Laptop Theft

by | Nov 12, 2015

Following the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents, Hartford Hospital – and one of its Business Associates, EMC Corporation (EMC) – have agreed to a settlement with the Connecticut Office of the Inspector General.

Hartford Hospital and EMC have agreed to a settlement of $90,000 to settle the incident.  The agreement was reached voluntarily, and no admission of liability charged to either party.

EMC was employed by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The focus of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to complete an analysis of patient data, and EMC was provided with the Protected Health Information of patients to assist with this.

However, on June 25, 2012 an unencrypted laptop computer holding patient data was stolen from the home of an EMC member of staff. The data does not seemto have been used inappropriately according to Hartford Hospital.

After being advised of the theft a day later, Hartford executed its breach response procedures; notified the Connecticut OIG, the Department of Health and Human Services’ Office for Civil Rights, issued breach notification letters to all affected patients and posted a breach announcement on its websites. All requirements of the Health Insurance Portability and Accountability Act’s Breach Notification Rule were adhered to well within the required timescale.

A number of security controls were implemented following the data breach to lessen the possibility of a similar incident occurring again. Additional compliance training was provided for the staff, business managers received further training (using a new training module developed post-breach) and affected patients were provided with credit monitoring services to ensure they did not suffer losses. As is the norm after incidents such as this, law enforcement officers were unable to find the stolen laptop computer and it has not been recovered since.

However, HIPAA Rules were breached as Hartford Hospital failed to obtain a signed Business Associate Agreement with EMC prior to PHI being supplied. This has been a requirement since Feb 18, 2010, after the introduction of the HITECH Act. All Business Associates must sign a BAA and agree to comply with the HIPAA Privacy and Security Rule. It was this, and the failure to encrypt data properly that resulted in a financial penalty being necessary. The settlement was agreed as it was in the interest of all parties to resolve the matter.

The settlement also states that Hartford Hospital to continue to monitor compliance with HIPAA and state regulations. Reasonable security policies will be adhered to in order to protect the PHI of patients, and if feasible, PHI will be encrypted on all portable devices. The healthcare provider has also agreed to persist with its program of staff training on privacy and security matters. Periodic assessments of EMCs policies will also be carried out. Hartford will also ensure that a BAA is in place for all contractors that come into contact with PHI.

EMC will also encrypt data on portable devices, if feasible and appropriate, and has agreed to take the necessary measures to secure PHI in accordance with HIPAA Rules, in addition to providing training to its staff.

The settlement resolves all problems with the Conn. OIG, but that does not mean this is the end of this chapter. The OCR will have similarly reviewed the incident for alleged HIPAA violations, and may well take the decision to issue a financial penalty of its own. Both the BA and Hartford Hospital could possibly be fined by the OCR for breaching HIPAA Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy