- The Department of Health and Human Services (HHS) announced in a press release yesterday that Adult & Pediatric Dermatology, P.C. (APDerm) of Concord, Mass., will pay $150,000 in fines stemming from a 2011 data breach.
On Sept. 14, 2011, a thumb drive containing electronic protected health information (ePHI) from APDerm patients was stolen from an employee’s locked car in Lowell, Mass. The breach was considered a potential HIPAA violation. Update: APDerm provided HealthITSecurity.com with a statement regarding the settlement.
Along with protecting our patients’ health and safety, protecting their privacy is our highest priority. In 2011, we were victims of a crime and a computer flash drive was stolen. The stolen information did not include any financial information or sensitive health information. We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information.
Today’s settlement announcement was as a result of the 2011 incident. We are disappointed with the amount of the settlement given that the flash drive was never used to anyone’s knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.
APDerm, a private practice with four Massachusetts and two New Hampshire locations, stated that the thumb drive contained information from roughly 2,200 patients. The data did not include credit card numbers, phone numbers, addresses, health insurance numbers or Social Security numbers. However, it did contain operation reports, consultation letters, and photographs of surgical skin cancer procedures. The thumb drive was not recovered.
The HHS Office for Civil Rights (OCR) determined that APDerm did not properly assess potential risks to ePHI confidentiality, and did not comply fully with the HIPAA Breach Notification Rule requiring employee training and written policies in place. The settlement with HHS also requires APDerm to create a risk management and analysis plan, address any existing risks or vulnerabilities, and to provide the OCR with an implementation report.
This is the first settlement involving a covered entity that did not have proper policies or procedures to meet the Health Information Technology for Economic and Clinical Health (HITECH) Act standards.
“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez in the press release. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”