Last week, Cancer Care Group, P.C. (CCG), an Indiana radiation oncology practice, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and adopting a three year corrective action plan.
CCG first reported a HIPAA breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in August of 2012, after a laptop bag containing both a laptop and unencrypted computer server backup media was stolen from an employee’s car. The backup media contained the electronic Protected Health Information of about 55,000 patients and included Social Security numbers, clinical information, and insurance information, among other identifying features. OCR investigated the breach report and found that, prior to the breach, CCG was generally out of compliance with the HIPAA Security Rule. CCG had not conducted a risk analysis, nor had CCG adopted policies or procedures regarding the removal of hardware and electronic media containing Protected Health Information from the CCG facility.
In addition to agreeing to pay $750,000, CCG entered into a corrective action plan for three years. Pursuant to this corrective action plan, CCG must: conduct a risk analysis and submit such analysis to OCR; review and update its risk analysis at least annually; review and revise its HIPAA security policies and procedures; revise its HIPAA security training; and issue regular reports to OCR, among other obligations.
This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.