OCR Settles Breach Notification Case with Massachusetts Provider for $1.5 Million


Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI), a specialty hospital and physician group practice located in the greater Boston area, agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle alleged HIPAA violations associated with the theft of an unencrypted personal laptop containing the electronic personal health information (e-PHI) of approximately 3,500 MEEI patients and research subjects.  MEEI did not admit any liability or wrongdoing in connection with the settlement.

The laptop belonged to a physician affiliated with MEEI and was stolen in February 2010 while the physician was lecturing in South Korea.  The information on the laptop included demographic and medical information, but was believed not to include any social security numbers, financial account numbers or credit or debit card numbers.  According to MEEI, there was no indication that the information on the stolen laptop had been accessed or used inappropriately.

MEEI submitted a report of the breach to the HHS Office for Civil Rights (OCR) as required by the HIPAA Breach Notification Rule, which resulted in an OCR investigation into the matter.  OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain HIPAA Security Rule requirements, such as conducting a thorough risk analysis regarding the confidentiality of e-PHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of e-PHI created, maintained and transmitted by MEEI using portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting and response.  According to OCR, these failures continued over an extended period of time and demonstrated a long-term disregard for the Security Rule requirements.   

In addition to the $1.5 million fine, MEEI agreed to implement a corrective action plan (CAP), which includes a commitment to perform a risk assessment, review policies and procedures and provide staff education.  MEEI must designate an individual or entity to monitor its compliance with the CAP. 

MEEI expressed disappointment in the size of the fine in a statement on its website, noting that the independent specialty hospital’s annual revenue is small compared to other larger institutions that received smaller fines. 

For a copy of the Resolution Agreement, please click here.  To read the HHS press release, please click here.  For the MEEI press release, which includes a link to the press release announcing the breach, click here

Reporter, Kerrie S. Howze, Atlanta, + 1 404 572 3594, khowze@kslaw.com.

Written by:


King & Spalding on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.