Not Encrypting a Laptop Cost Lifespan $1,040,000
A recent HIPAA Enforcement highlights how something as simple as encrypting your devices could save you millions of dollars.
Lifespan is on the hook for $1,040,000 after the theft of a laptop lead to an investigation that uncovered other HIPAA violations. The breach impacted a little more than 20,000 patients. The theft occurred when an employee of a business associate had their company laptop stolen. The business associate was Lifespan Corporation, the parent company of Lifespan ACE.
In addition to financial enforcement, Lifespan was also placed on a two-year corrective action plan. A corrective action plan means the OCR will oversee the implementation of Lifespan’s HIPAA program. This will add to the overall cost of the HIPAA breach.
The agreement illustrates how basic and easily applied IT management procedures could have saved Lifespan a lot of money and time. Here is a breakdown of some of the short- and long-term costs of any data breach.
- Financial Enforcement
- Corrective Action Plan
- Potential Lawsuits (depending on State Laws)
- Loss of Reputation/Loss of Trust Among Patients
- Other Remediation/Training
These items and more could lead to millions of dollars in costs. What makes this HIPAA enforcement surprising is it was completely avoidable. If Lifespan had encrypted the laptop it would not even have to report the theft. Because the laptop was not encrypted Lifespan was concerned that emails may have been cached on the laptop and therefore had to report the breach.
In addition to the unencrypted laptop the OCR uncovered the following HIPAA violations:
- Lifespan did not implement policies and procedures to encrypt laptops and mobile devices
- Lifespan did not have business associate agreements in place. Even though the healthcare providers fall under the same umbrella one is a covered entity and the others are business associates. Business associate agreements are still needed.
- Lifespan did not implement policies and procedures to track all devices.
The OCR determined that this lead to the improper disclosure of 20,431 patients.
We spend a lot of time talking about Phishing and Ransomware, and that is because they make up a large percentage of HIPAA data breaches. In 2017 (when the theft occurred), it is hard to believe that we will need to have a conversation about encrypting your devices to protect patient information.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
Loss or theft of devices/equipment still ranks as one of the top 5 cybersecurity threats according to the 405d federal task force. The items addressed in the HIPAA resolution agreement for Lifespan address loss and theft of equipment. Healthcare providers and business associates (and really all businesses) need to encrypt devices and have an inventory/tracking plan in place.
The other 4 cybersecurity threats being addressed by the 405d Task Force are:
- Email Phishing Attacks
- Ransomware Attacks
- Insider Threats (accidental and intentional)
- Attacks against medical devices
Do not get caught with a million-dollar settlement plus more. Encrypting your devices will save you a lot of heartaches, financial loss and it just might save your reputation.
If you are a smaller healthcare provider or business associate trying to defend against these threats might seem like a daunting task. Enlisting help is always advised.
We are part of the 405d task force and are working to help mitigate these and other risks. We work with HIPAA Covered Entities and Business Associates to reduce risk and strengthen their cybersecurity posture and compliance.