True to his word, the Connecticut Attorney General (AG) has aggressively entered the data privacy and security enforcement arena with a $90,000 settlement with Hartford Hospital and EMC.
The AG has agreed to a payment of $90,000 from Hartford Hospital and EMC over an incident in which an unencrypted laptop, which contained personal information of 8,883 patients was stolen from an EMC employee’s home.
The employee was working on a quality improvement project for Hartford Hospital and had downloaded the information on the laptop.
In announcing the settlement, AG Jepson stated, “All healthcare providers and any contractors who work with healthcare providers should pay close attention to [data privacy] responsibilities and review their internal controls and policies to ensure that they’re doing all they possibly can to comply with the law and to keep this information safe.”
In addition to paying the penalty, Hartford Hospital agreed to implement additional policies and training protocols. EMC has also agreed to maintain policies requiring encryption of removable media and portable devices.
This is another example of why it is imperative for hospitals and health care providers, and their business associates and subcontractors, to ensure that no protected health information is downloaded to an unencrypted laptop or portable device and a reminder to use encryption technology to protect health information.