The Department of Health and Human Services (HHS) announced the first settlement involving a data breach affecting fewer than 500 patients has been paid by Hospice of North Idaho. The breach, which occurred in June 2010, was a result of a stolen laptop.
The case mirrors another, in which a stolen laptop led to a data breach at Beth Israel Deaconess Medical Center (BIDMC). The data of approximately 3,900 patients was accessible through the device, though the hospital avoided much of the potential damage this could have caused. Educating employees on device security is a best practice for avoiding breaches of any size.
Theft of unsecured laptops is a common cause of breaches, as exemplified by the Hospice of North Idaho and BIDMC breaches. Health care facilities should have response plans in place in the event of a breach.
The number of patients affected by the North Idaho breach is significant, though it’s not large. More than 57,000 health care data breaches have affected less than 500 patients in the last three years, with only 500 breaches affecting more than 500 patients in that same period. A Medicaid data breach affected more than 780,000 patients in Utah. The breach was caused by a hack into a Utah Department of Technology Services computer server. Investigators estimated that 280,000 people had their social security numbers stolen during the breach, while the remainder of those affected had less vital data compromised. The original estimate claimed only 24,000 patients were affected by the breach, but that number grew as the investigation continued.
The North Idaho breach shows facilities should now be prepared to pay the price, regardless of the size of the breach. The maximum fine for any data breach is $1.5 million. Hospice of North Idaho paid $50,000 to HHS for its data breach.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” HHS Office of Civil Rights Director Leon Rodriguez said in a written statement.