Covered Entity Fined $150,000 For Stolen Unencrypted Thumb Drive


HHS recently announced that it fined a dermatology practice $150,000 for failing to reasonably safeguard an unencrypted thumb drive and failing to conduct an accurate and thorough risk analysis of electronic PHI. Additionally, the resolution agreement stated the dermatology practice failed to fully comply with HITECH’s requirement to have written policies and procedures for breach notification. The fine stems from an unencrypted thumb drive which contained electronic PHI of approximately 2200 patients. It was stolen from an employee’s unattended vehicle and never recovered. This is another reminder to covered entities and business associates that you must conduct a risk assessment of electronic PHI and document your findings and resolutions.

Additionally, while encryption is not required by the HIPAA Security Rule, recent HHS enforcement activity suggests an expectation by HHS that electronic PHI be encrypted. Covered entities and business associates that are not using encryption should be prepared to demonstrate other safeguards they have implemented as an alternative to encryption and document these alternatives in their risk assessments and written policies and procedures. Had the thumb drive in this case been encrypted no breach would have occurred and the dermatology practice would have avoided the HHS investigation. A copy of the resolution agreement is available here.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.