Touted as the first OCR settlement with a wireless health services provider, the OCR announced on April 24, 2017, that it has settled alleged HIPAA violations with CardioNet, based in Pennsylvania for $2.5 million.

CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from a vehicle parked outside the employee’s home. (Again? Don’t get us started on why employees STILL have unencrypted laptops in their cars.)

The laptop contained the ePHI of 1,391 individuals who received mobile monitoring and response for cardiac arrhythmias by CardioNet. Since the breach involved more than 500 individuals, the OCR conducted an investigation. It alleges that as a result of the investigation, it found that CardioNet “had an insufficient risk analysis and risk management processes in place” and that the HIPAA Security Rule policies and procedures were in draft form and had not been implemented. Further, according to the OCR, CardioNet “was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”

According to OCR Director Roger Severino, “Mobile devices in the health care sector remain particularly vulnerable to theft and loss…Failure to implement mobile device security…puts individuals’ sensitive health information at risk. This disregard for security an result in a serious breach, which affects each individual whose information is left unprotected.”

CardioNet settled the allegations for $2.5 million and entered into a Resolution Agreement and Corrective Action Plan, consistent with other OCR settlements.

Lessons learned?

1. Get those HIPAA policies and procedures out, review them, update them, finalize them and implement them throughout your organization.
2. Take a look at policies and procedures around risk assessment and management and update them, finalize them and implement them.
3. Conduct and/or update your security risk assessment.
4. Encrypt all mobile technology.
5. Implement employee education and training.

[View source.]