July 30, 2020

OCR Reaches Settlement Over Theft of an Unencrypted Laptop

On July 27, OCR reached a settlement with a non-profit system, Lifespan, related to the theft of an unencrypted laptop. Lifespan filed a breach report with OCR after it discovered that a hospital employee’s laptop had been stolen. The laptop contained protected health information of 20,431 individuals. OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules, including a failure to encrypt ePHI on laptops after Lifespan determined it was reasonable and appropriate to adopt encryption. Lifespan has agreed to pay OCR $1,040,000 and adopt a corrective action plan that includes two years of monitoring.