How much is the cost of doing nothing when it comes to encryption of sensitive data?   In the case of electronic protected health information, about $2 million.

Two companies have been hit with fines equaling a total of almost $2 million to settle alleged Health Insurance Portability and Accountability Act (HIPAA) violations involving stolen, unencrypted laptops, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Tuesday.

OCR conducted an investigation of Concentra Health Services (Concentra) after receiving a breach report that an unencrypted laptop was stolen from one of its facilities.  Concentra’s biggest mistake was its failure to remedy previously recognized security problems.  The company had engaged in multiple risk analyses revealing that a lack of encryption on its laptops and other devices containing electronic protected health information (ePHI) was a critical risk.  While Concentra had taken steps to begin encryption, OCR found that Concentra had insufficient security management processes in place to safeguard patient information. Concentra agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan.

The other organization, QCA Health Plan, Inc. (QCA), notified OCR of a breach in February 2012 involving the theft of an unencrypted laptop computer from a workforce member’s car that contained the ePHI of 148 individuals.  OCR reported that QCA encrypted its devices following discovery of the breach, but that it failed to comply with multiple HIPAA Privacy and Security Rule requirements between April 2005 and June 2012.  In addition to a $250,000 monetary settlement, QCA will provide HHS with an updated risk analysis and risk management plan, including specific security measures to reduce ePHI risks and vulnerabilities.  QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

The Resolution Agreements for Concentra and QCA can be found on the OCR website.

These settlements underscore the need for all entities to encrypt their laptops and other devices. Entities that fail to encrypt may not only be at risk of paying large fines to OCR for HIPAA violations, but they also may be slapped with fines for state law violations.

Other important takeaways:

  • Self-reported breaches do lead to investigations and penalties.
  • Ongoing risk assessments are critical for HIPAA compliance, but so is acting on risk assessment findings.
  • Encryption may be perceived as expensive and/or cumbersome, but it is much cheaper than a seven figure fine.

As we previously urged: encrypt, encrypt, and encrypt again.”  Even OCR stated:  “Our message to [covered entities and business associates] is simple: encryption is your best defense against these incidents.”