Rhode Island Health System Fined +$1 Million for Failure to Encrypt Laptops

Case: The trouble began when Lifespan Corporation, the parent company of a Rhode Island-based non-profit health system filed a breach report after a laptop containing medical record numbers, medication and other electronic protected health information (ePHI) on more than 20,000 individuals was stolen from one of its hospital employees. HHS Office for Civil Rights (OCR) officials called in to investigate uncovered a slew of systemic HIPAA Rules violations at Lifespan, including not only widespread failure to encrypt ePHI on laptops but also a lack of device and media controls. In addition to a $1,040,000 fine, Lifespan had to sign a corrective action plan that included two years of monitoring. Significance: Laptops, cellphones and mobile devices are stolen every day. That’s why it’s so critical to ensure that those devices are encrypted so that thieves can’t use the ePHI they contain to commit identity theft. While these might seem like obvious points, the Lifespan case is a reminder that systemic breakdowns remain all too common at large healthcare entities and how costly to patients and providers alike they can be when they occur.