Following the investigation of a self-reported data breach involving the loss of an unencrypted laptop containing the protected health information (PHI) of 13,000 individuals, the OCR slammed the New York based biomedical research Feinstein Institute with a whopping $3.9 million fine. The Feinstein Institute also agreed to a Corrective Action Plan that addresses compliance with the HIPAA Security Rule, including completion of a security risk assessment, and implementation of a risk management program and policies and procedures to address data security.

The laptop in question was password protected, but not encrypted and therefore, did not fall within the safe harbor for breach notification. The laptop contained the names, Social Security numbers and medical information of patients and participants in research projects. It was stolen out of an employee’s car. The OCR noted that the security measures and policies and procedures of The Feinstein Institute did not address removable media, such as laptops.

This case is another example of the importance of security measures related to removable media and implementation of encryption technology as a potential risk management tool.