After a long quiet period, the second HIPAA settlement to be announced by the U.S. Department of Health and Human Services (HHS) in an orchestrated one-two punch was far more costly to the second violator. Lifespan Health System Affiliated Covered Entity paid $1,040.000 to HHS’s Office for Civil Rights (OCR) in June for failing to encrypt laptops and other mobile devices that contained patient data. The previous settlement, announced last week and discussed here, was reached in March.

Lifespan and its affiliates operate seven hospitals and dozens of laboratories, physicians’ offices, ambulatory care centers, behavioral health practices and other facilities throughout Rhode Island. Lifespan filed a data breach report with OCR in April 2017 when it discovered that an unencrypted laptop containing protected health information of more than 20,000 patients had been stolen. OCR’s investigation found that Lifespan had engaged in “systemic noncompliance” with the HIPAA Privacy and Security Rules by failing to encrypt the devices even after determining that it was appropriate to do so, failing to keep track of the devices, and failing to have a business associate agreement in place with an affiliated entity. There was no evidence that any patient information was actually compromised.

In addition to the fine, Lifespan’s Resolution Agreement with OCR included a Corrective Action Plan requiring it to encrypt and maintain access controls on its mobile devices, update its HIPAA policies and procedures, and retrain its workforce, among other things.