Stolen Thumb Drive Costs Dermatology Practice $150K | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Stolen Thumb Drive Costs Dermatology Practice $150K

December 31, 2013
by Rajiv Leventhal
| Reprints

A stolen unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals has cost a dermatology practice $150,000 following a settlement with the Department of Health and Human Services (HHS).

The Concord, Mass.-based Adult & Pediatric Dermatology (APDerm), which delivers dermatology services in four locations in Massachusetts and two in New Hampshire, will also be required to implement a corrective action plan to correct deficiencies in its HIPAA (Health Insurance Portability and Accountability Act) compliance program.

According to HHS, this case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The investigation of APDerm opened by the HHS Office for Civil Rights (OCR) found that the unencrypted thumb drive was stolen was stolen from a vehicle of one its staff members. The thumb drive was never recovered.

The investigation revealed that the practice had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the HITECH Breach Notification Rule to have in place written policies and procedures and train workforce members.

“As we say in healthcare, an ounce of prevention is worth a pound of cure,” OCR director Leon Rodriguez said in a statement. “That is what a good risk management process is all about—identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.



Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.