$2.5 Million Settlement agreed by Wireless Health Services Provider for HIPAA Violations

by | Apr 25, 2017

CardioNet, a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has agreed a $2.5 million settlement to resolve potential HIPAA violations.

Compensation settlements have, in the past been, agreed with healthcare providers, health plans, and business associates of covered bodies, but this is the first-time OCR has settled potential HIPAA breaches with a wireless health services provider.

The settlement relates to a data breach made known to OCR in January 2012. In 2011, an staff member of CardioNet left a laptop computer in a vehicle that was parked outside their home. The laptop computer was stolen, leading to the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is normal following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR carried out an investigation to ascertain whether the breach was a direct result of violations of HIPAA Rules.

A risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, when the breach occurred, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to be in compliance with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been put in place. OCR asked for final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation in relation to the implementation of ePHI safeguards for mobile devices.

CardioNet was also found to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the not implementing encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that holds the ePHI of patients is vulnerable to theft or loss. When those devices are taken from the offices of a HIPAA-covered entity, the risk of theft or loss increases greatly. Covered entities must therefore put in place appropriate safeguards to ensure that, should those devices be stolen or lost, ePHI remains protected.

OCR Director, Roger Severino, stated that the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

This latest HIPAA compensation settlement will send a strong message to covered entities that the failure to be in accordance with HIPAA Rules can have serious financial ramifications. Additionally, it emphasizes the point that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to be acting in accordance with HIPAA Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy