In February 2012, Concentra Health Service, a subsidiary of Humana, reported a privacy breach involving the protected health information of 148 individuals resulting from the theft an unencrypted laptop from the car of an employee. Upon investigation, the OCR determined that Concentra had conducted multiple risk analyses that identified a lack of encryption on its laptops as a critical risk. Following the investigation, Concentra agreed to pay $1.7 million in penalties with additional reporting requirements to the OCR related to risk analysis and a risk management plan.
Similarly, QCA Health Plan of Arkansas experienced the theft of an unencrypted laptop and has agreed to pay $250,000.
Therefore, health care providers, business associates, and other covered entities must conduct a thorough risk analysis of its security measures and follow through with addressing significant risk areas. Meanwhile, if laptops or other mobile devices containing protected health information are not encrypted, it is imperative to secure those devices now.Back to news