OCR Fines Two Organizations Nearly $2M Over Health Data Breaches
April 25, 2014 in News
Concentra Health Services and QCA Health Plan have agreed to pay HHS’ Office of Civil Rights settlements over separate data breaches, Health IT Security reports (Ouellette, Health IT Security, 4/22).
Background on Data Breaches
In November 2009, Concentra — a subsidiary of Humana — reported a data breach in Fort Worth, Texas, after an unencrypted laptop was stolen. Medical records of more than 900 patients were compromised during the breach.
Concentra experienced a separate data breach at a physical therapy center in Springfield, Mo., after another unencrypted laptop with 870 patient records was stolen.
QCA Health Plan in Little Rock, Ark., experienced a data breach in February 2012 when an unencrypted laptop was stolen from an employee’s car. The computer contained the medical records of 148 individuals (Conn, Modern Healthcare, 4/23).
Details of Concentra Settlement
OCR found that Concentra previously had recognized security risks caused by a lack of encryption on some of its technology. However, OCR said steps to encrypt the technology were “incomplete and inconsistent over time” (Miliard, Healthcare IT News, 4/23).
In addition, OCR found that the company did not have sufficient security management measures in place to protect patient health information (Modern Healthcare, 4/23).
As a result, Concentra agreed to pay OCR $1.7 million in a settlement. The company also must implement a plan to protect patient health data (Ellison, Becker’s Hospital Review, 4/23).
Details of QCA Settlement
OCR found that QCA “failed to comply with multiple requirements of the HIPAA privacy and security rules” and fined the company $250,000 (Modern Healthcare, 4/23).
In addition, the settlement requires QCA to provide OCR with a risk analysis and risk management plan stating how the company will reduce the vulnerability of patients’ personal health information.
In an announcement, Susan McAndrew, OCR’s deputy director of health information privacy, said, “Covered entities and business associates must understand that mobile device security is their obligation.”
She added, “Our message to these organizations is simple: encryption is your best defense against these incidents” (Hall, FierceHealthIT, 4/23).