Mobile Security breach makes Healthcare provider shell out $2.5 million penalty!


The Office of Civil Rights (OCR) has directed Pennsylvania-based wireless health services provider CardioNet to pay $2.5 million penalties for being negligent towards protecting patient data. Thus, the penalty of OCR- HIPAA Settlement’s happens to be the first of its kind in the history of wireless health service providers.

On heading further into details, CardioNet reported to US OCR in January 2012 that one of its employees lost a laptop containing sensitive info of ePH1 of 1391 individuals. The individual lost the laptop when she kept the laptop in a parked car outside her home.

When a detailed probe was initiated by OCR, it was found that CardioNet, first of all, did not have a sufficient risk analysis and risk management policy in place as per HIPAA compliance. Secondly, the HIPAA Security Rule was in draft form and had not been implemented in the healthcare service providers work environment.

On February 2012, CardioNet notified of a second patient ePH1 breach involving the info of more than 2219 individuals. This deteriorated the probing case by OCR who discovered later that CardioNet failed to conduct an accurate and through risk analysis to assess the potential risks and vulnerabilities in ePH1.

And so failed to plan for and implement security measures in time, which resulted in the second breach. Furthermore, the health services provider also failed to formulate necessary policies and procedures on how electronic media containing ePH1 should be treated. It immensely failed in encrypting mobile devices and how the devices could be moved from the facility.

So, OCR pronounced a heavy penalty to the wireless health service provider along with an obligation that it should adhere to a corrective action plan, which includes the following requirements-
•    Conduct risk analysis
•    Implement secure device and media controls
•    Review and revise its training program
•    Develop and implement a risk management plan as per HIPAA rules.

It is a known fact that mobile devices in healthcare sector remain particularly vulnerable to theft and loss and so Mobile security concerns are always all time high in this business vertical.

NOTE 1- HIPAA which can be abbreviated as Health Insurance Portability and Accountability Act of 1996 is a legislation of United States which protects data privacy and security provisions through pre-devised guidelines.

NOTE 2- OCR is a part of an objective plan of US Department of Health and Human services organization which ensures equal patient access to certain health and human services and protects and secures health Info of the patients and entire department.

Naveen Goud
Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display