The laptop was stolen out of a hospice worker's car, and the thief later arrested. The laptop was not recovered but the Hospice said that there is no evidence of identity theft or other ramifications from the breach. The US Department of Health and Human Services (HHS) has fined the center for the lack of encryption on the data, which violates the Health Insurance Portability and Accountability Act (HIPAA).
The fine is the largest to date for a breach of under 500 records. "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information", said HHS Office of Civil Rights Director Leon Rodriguez in a statement. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."
The hospice is largely volunteer-run but yet is the largest provider of palliative care in its county according to its website – highlighting the disconnect between human and capital resources and the need to enforce security requirements that has been well documented among small and medium-sized businesses.
A recent Ponemon Institute study found that among SMBs, which often run on very thin margins and without dedicated IT resources, a full 64% of US respondents and 75% of UK respondents cited “insufficient people resources” as a primary barrier to achieving effective security. Also, 62% of UK respondents consider “the complexity of compliance and regulatory requirements” as a key barrier, and 55% listed “lack of in-house skilled or expert personnel.”
The fine may be an object lesson to HHS, but for the Hospice it places a burden on its operations, it said. "As a nonprofit, $50,000 is a lot of money and we are being extra resourceful right now to account for this settlement cost," Amanda Miller, a spokeswoman for the hospice, told the Spokesman-Review.
Nonetheless, the center has put efforts in place to comply with federal requirements and help its patient info-safety along. "Hospice of North Idaho conducted a thorough risk analysis as a part of its security process, increased security measures on all equipment containing patient information, and adopted stronger security policies and procedures to ensure the safety of patient health information," Miller told the paper. "Other measures taken were the encryption of all laptops, stronger password enforcement, and
HIPAA privacy and security training on a scheduled basis."