Touted as the first OCR settlement with a wireless health services provider, the OCR announced on April 24, 2017, that it has settled alleged HIPAA violations with CardioNet, based in Pennsylvania for $2.5 million.

CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from a vehicle parked outside the employee’s home. (Again? Don’t get us started on why employees STILL have unencrypted laptops in their cars.)

The laptop contained the ePHI of 1,391 individuals who received mobile monitoring and response for cardiac arrhythmias by CardioNet. Since the breach involved more than 500 individuals, the OCR conducted an investigation. It alleges that as a result of the investigation, it found that CardioNet “had an insufficient risk analysis and risk management processes in place” and that the HIPAA Security Rule policies and procedures were in draft form and had not been implemented. Further, according to the OCR, CardioNet “was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”
Continue Reading OCR Settles First Case With Wireless Provider for $2.5 Million