Hartford Hospital and the EMC Corp. will pay $90,000 as the result of the theft of a laptop with unencrypted patient information. The agreement was reached with the state Attorney General’s office.
According to a statement from the AG’s office, the unencrypted protected health information of approximately 8,883 Connecticut residents was on a laptop that was stolen in 2012 from an EMC employee’s home. EMC had been retained by Hartford Hospital to assist on a quality improvement project on hospital readmissions. While the laptop has not been recovered, the hospital maintains that there is no evidence that the information has been misused.
In an assurance of voluntary compliance, the hospital and the company have agreed to implement or continue new training requirements and other policies in response to the breach.
“The responsibilities of those who maintain and use personal information under HIPAA and Connecticut’s privacy laws are clear and are appropriately intended to protect the privacy of the patients,” Attorney General George Jepsen said in a statement. “All healthcare providers and any contractors who work with healthcare providers should pay close attention to these responsibilities and review their internal controls and policies to ensure that they’re doing all they possibly can to comply with the law and to keep this information safe.”
As a result of the data breach, Hartford Hospital instituted a number of corrective measures to ensure that contractual agreements are properly executed with vendors, that minimum privacy and security controls are instituted when patient health information will be shared with a vendor and created new contract templates that incorporate applicable provisions of the Health Insurance Portability and Accountability Act (HIPAA).
The agreement requires EMC to maintain reasonable policies requiring the encryption of all patient health information stored on laptops or other portable devices and transmitted across wireless or public networks and to maintain reasonable policies for employees relating to the storage, access and transfer of patient health information outside of EMC premises.
