An unencrypted thumb drive cost a dermatology practice $150,000. On December 26, 2013, the U.S. Department of Health & Human Services (HHS) announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts (APD) of alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). APD, a “covered entity” for HIPAA purposes, has offices in Concord, Westford, Marlborough, and Ayer, Massachusetts, and Wolfeboro, New Hampshire.
The thumb drive contained unsecured electronic protected health information (ePHI) relating to the performance of Mohs surgery for about 2,200 patients. The thumb drive was stolen from the vehicle of one of APD’s employees. APD informed its patients of the theft of the thumb drive and provided a media notice.
HHS investigated and determined that APD did not timely conduct an accurate and thorough analysis of the risks associated with potential exposure of the ePHI. HHS also determined that APD did not fully comply with the administrative requirements of HIPAA’s breach notification requirements to have written policies and procedures and train employees regarding breach notification requirements. HHS also determined that APD disclosed ePHI in violation of HIPAA by the access gained to it when APD did not reasonable safeguard an unencrypted thumb drive.
HHS fined APD $150,000 and required APD’s execution of a Corrective Action Plan. The Corrective Action Plan requires APD to develop a comprehensive risk analysis and risk management plan to ensure future compliance with HIPAA and to periodically report to HHS the status of APD’s implementation of the plan. HHS released its right to take further action against APD, conditioned upon full compliance by APD with the Corrective Action Plan. See HHS Resolution Agreement.