Wireless Healthcare Provider to Pay HHS $2.5 Million in Data Security Case

In a case that serves as a cautionary tale of the consequences of lax health data security, HHS announced that wireless health services provider CardioNet has agreed to pay $2.5 million after its insufficient data protection led to personal health information being stolen.

According to a press release from the HHS Office for Civil Rights (OCR), the case centered around a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In 2012, a laptop containing the personal health data of nearly 1400 people was stolen from a CardioNet employee’s car. The theft was reported to the OCR, but a subsequent investigation found that the wireless health services provider “had an insufficient risk analysis and risk management processes in place at the time of the theft.”

CardioNet, which monitors and responds to patients’ cardiac arrhythmias using mobile technology, had not implemented any safeguards for the protection of personal health data, including on mobile devices, nor did it have policies in place to comply with the HIPAA Security Rule.

In the agreement reached this month, CardioNet settled the violations by paying HHS $2.5 million and agreeing to follow through on a corrective action plan designed by the company and OCR to prevent future HIPAA violations. CardioNet must now conduct a thorough security risk analysis, develop and enact a risk management plan, implement secure device and media controls like data encryption, and review and revise its data security and handling training program for employees. All of these steps must be monitored and approved by HHS.

The action plan also included requirements that CardioNet alert HHS to any potential violations that could be considered a reportable event and submit an annual report that assesses and updates its data security strategy. If it breaches any of the agreement components, it could be subject to a fine imposed by HHS.

The press release from OCR was titled “$2.5 million settlement shows that not understanding HIPAA requirements creates risk,” potentially as a warning to other mobile health providers that privacy and security rules violations will be taken seriously. It noted that this was the first settlement that involved a provider of wireless health services.

“Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss,” said Roger Severino, director of OCR, in the statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

A survey released this month of 125 health information technology professionals at various health systems confirmed that businesses understand the importance of data security awareness among their employees. Almost 80% of respondents said employee security awareness and culture was their source of greatest concern in terms of exposure to a security threat. The most commonly reported practices in place to mitigate these risks were remote access controls, employee security awareness programs, and security consulting services to assess vulnerabilities.

Issues in healthcare cybersecurity—including the challenge of balancing patients’ rights with system protections—will be featured in a session of next week’s meeting of the ACO and Emerging Healthcare Delivery Coalition in Scottsdale, Arizona. To register, visit our conference page at ajmc.com.