Lifespan Health System Affiliated Covered Entity (Lifespan ACE) is a non-profit health system based in Rhode Island, sitting at the center of a protected information breach.
On April 21, 2017, Lifespan Corporation filed an initial breach report with the OCR. The report originated due to the theft of an affiliated hospital employee’s laptop being stolen. This wouldn’t be an issue, however, the laptop had hard copy information of electronic protected health information (ePHI) including patient names, medical record numbers, demographic information, and medication information. In total, breach affected 20,431 individuals.
The resulting investigation discovered that noncompliance was typical within the Lifespan Health System’s network. Minimal device and media controls, no associate agreement in place, and no encryption on some laptops used to access critical information.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” Roger Severino, the OCR’s director said in a statement.
Lifespan has agreed to a financial settlement of $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), as well as two years of monitoring – while this is the usual outcome of such an event, it will be an expensive mishap both financially and in time spent.
The resolution agreement and action plan can be found on the HHS’ website at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf