Health Law Gurus

Physician Group Practice Pays $750,000 for Breach of Unsecured Electronic Protected Health Information on Electronic Device

Cancer Care Group, P.C. (“CCG”), a radiation oncology physician group practice in Indiana, agreed to pay $750,000 for a breach of unsecured electronic protected health information (“ePHI”). CCG will also implement a corrective action plan.

The breach occurred in 2012 when a CCG employee’s unattended laptop bag was stolen from a car. The laptop bag contained computer server backup media with the ePHI of approximately 55,000 individuals. The computer server backup media was unencrypted, and the ePHI included names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information. The employee’s computer was also in the stolen laptop bag, but it did not contain ePHI.

The OCR opened an investigation and found the following:

• CCG had not conducted an enterprise-wide risk analysis;
• CCG did not have in place policies and procedures regarding the removal of hardware and electronic media with ePHI into and out of its facilities; and
• CCG impermissibly disclosed the ePHI of 55,000 individuals when it failed to safeguard unencrypted back-up tapes.

In the HHS press release, OCR Director Jocelyn Samuels warns that “[o]rganizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.” She further advises that “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

To read the Resolution Agreement and Corrective Action Plan, click here.

To read the press release, click here.