A private physician practice operating in Indiana has reached a $750,000 settlement with the Department of Human Health and Services after it was found not to be in compliance with a security rule.
Cancer Care Group, P.C. agreed to the settlement after a breach of protected health information (PHI) when an employee’s laptop was stolen from his car on August 29, 2012. The computer had unencrypted backup media containing the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of roughly 55,000 current and former patients.
The security breach prompted an investigation by the Office for Civil Rights, which found numerous violations of the Health Insurance Portability and Accountability Act’s Security Rule. The two most damning findings included that the company had not recently conducted a risk analysis and the company did not have a written policy in place addressing the removal of PHI from its facilities.
The settlement includes an agreement for Cancer Care Group, which specializes in radiation oncology, to “adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program” according to an HHS press release.
The press release also included the case’s resolution agreement and guidance on conducting an HIPAA risk analysis.
