CardioNet, a provider of remote heart monitoring services, has agreed to pay the US Department of Health and Human Services’ Office for Civil Rights (OCR) $2.5 million after it was found to have compromised the electronic protected health information (ePHI) of 1,391 people.
The violation dates back to 2012, when CardioNet notified OCR that an employee’s laptop, which contained unencrypted ePHI, was stolen after being left in a parked vehicle outside their home.
In February 2012, CardioNet reported a second potential ePHI breach involving the information of 2,219 people.
This is the first Health Insurance Portability and Accountability Act (HIPAA) settlement involving a wireless health services provider.
Settlement isn’t an admission of guilt
According to OCR’s resolution agreement, “CardioNet failed to implement the specifications required to establish a security management process to prevent, detect, contain, and correct security violations.
“Specifically, CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to see confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities.”
Additionally, OCR found that CardioNet didn’t implement necessary policies and procedures on how to treat media containing ePHI. This included when to encrypt mobile devices and how the devices should be moved from the facility.
According to the settlement, the agreement is “not an admission of liability,” but CardioNet has still agreed to follow a corrective action plan that includes giving a risk analysis and risk management plan to the Department of Health and Human Services for approval.
This is the seventh HIPAA settlement agreed between OCR and covered entities so far this year, bringing the total sum paid in settlements to $11,426,000.
Sign up to our Daily Sentinel for all the latest cyber security news and advice.