True to his word, the Connecticut AG has aggressively entered the data privacy and security enforcement arena with a $90,000 settlement with Hartford Hospital and EMC.
The AG has agreed to a payment of $90,000 from Hartford Hospital and EMC over an incident when an unencrypted laptop was stolen from an EMC employee’s home, which contained personal information of 8,883 patients.
The employee was working on a quality improvement project for Hartford Hospital and had apparently downloaded the information on the laptop.
In announcing the settlement, AG Jepson stated, “All healthcare providers and any contractors who work with healthcare providers should pay close attention to [data privacy] responsibilities and review their internal controls and policies to ensure that they’re doing all they possibly can to comply with the law and to keep this information safe.”
In addition to paying the penalty, Hartford Hospital agreed to implement additional policies and training protocols. EMC has also agreed to maintain policies requiring encryption of removable media and portable devices.
This is another example of why it is imperative for hospitals, health care providers and their business associates and subcontractors to ensure that no protected health information is downloaded to an unencrypted laptop or portable device, and to use encryption technology to protect health information.