The Price of Unencrypted Devices: $1M Fine for Stolen Laptop

Contact with your questions or to request an appointment.

All health insurance agents and agencies should be aware of the need to have encrypted hard drives on each of their computers. With business level machines, this feature is often standard; however, it may need activating. Consult your computer supplier and see if your machine has an encrypted hard drive, after which you must ensure it is activated. Note that many of today’s carrier appointments ask you to verify that all computers used for your practice are encrypted. Choosing not to do so may result in losing your appointments and commissions due to having unsecured systems.

One side effect of the COVID-19 pandemic is that the sudden need to convert the workplace from onsite to remote operations has required many organizations to use older equipment or personal devices that lack proper encryption, thus putting data security at risk. The use of such devices, combined with the lack of proper controls in place to secure workplace data, can incur significant liability.

Although involving an incident that pre-dates the pandemic, a settlement agreement entered into between the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and Lifespan Health System Affiliated Covered Entity (Lifespan ACE), subject to a July 27, 2020 OCR press release, serves as one example. Under the settlement, which arose from the theft of an unencrypted laptop containing protected health information, Lifespan ACE agreed to:

In February 2017, a hospital employee’s car was broken into while parked in a public lot, resulting in the theft of a MacBook laptop used by the employee for work purposes. It is unclear whether the laptop was provided by the hospital or whether it was a personal device. The encryption settings on the hard drive had not been set, meaning the hard drive and the data stored on it were unencrypted. Lifespan ACE determined that the employee’s work emails may have been cached on the device’s hard drive, and that through the cached emails, the thieves could have access to both patient names and medical records. In addition, the hard drive may have included information about patients across various affiliated providers.

Following an April 21, 2017 breach report filed by Lifespan ACE with OCR, the agency commenced an investigation of the healthcare provider. That investigation determined that there was “systemic noncompliance” with data privacy and security requirements under HIPAA, including “a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.” OCR also determined that Lifespan ACE lacked “device and media controls,” and failed “to have a business associate agreement in place with the Lifespan Corporation,” the healthcare provider’s parent company. In particular, the consent settlement agreement noted:

  1. Lifespan did not implement policies and procedures to encrypt all devices used for work purposes (see 45 C.F .R. § I 64.312(a)(2)(iv));
  2. Lifespan did not implement policies and procedures to track or inventory all devices that access the network or which contain ePHI (See 45 C.F.R. § 164.3 10(d)(l));
  3. Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE (See 45 C.F.R. § 164.502(e)); and
  4. Lifespan impermissibly disclosed the PHI of 20,431 individuals (see 45 C.F.R. § 164.502(a)).

What’s notable in this case is both the size of the fine assessed against LifeSpan ACE and that the incident spawned from the theft of a single laptop. In a post-pandemic world that requires a remote workforce and virtual operations, a simple precaution of ensuring that all devices used by employees could slip through the proverbial cracks. Thus, when issuing laptops or other devices to employees, or when otherwise contemplating employees’ use of personal devices for work-related functions, organizations must ensure the encryption of workplace data.

Here are some simple solutions to consider:

  • Use of a central enterprise program to manage data encryption of all work-issued devices. Such programs should be set up to override a user’s ability to inadvertently or intentionally disable the data’s encryption.
  • Management of access tools and applications, such as for email, that prevent a user’s ability to transfer data from a workplace network to the hard drive of the personal device used to work remotely. If the data cannot be stored on a personal hard drive, the need to encrypt workplace data is obviated.
  • Implementation and enforcement of policies and procedures that prohibit the storage of workplace data on the hard drive of a personal device. These policies should be acknowledged by employees on an annual basis, at minimum, and be enforced.
  • Controls that encrypt any data transferred from the organization’s network to removable media, like a thumb drive or CD.
  • Teach employees how to arm encryption protocols on personal devices

If an employee is using a personal device at home for company work, they must access their files through Office 365 in the cloud. Employees have full access to Outlook along with Word, Excel, and every other Office 365 program. Make sure files are only stored on OneDrive or other cloud-based services. If you receive emails on your phone or tablet, make sure you have them encrypted– most devices have this as a default when you turn on the passcode or facial recognition.

At this year’s Health-A-Palooza, LeClair Group delivered a CE presentation by RiskSmart Advisors on cyber security. If you wish to seek training, policy documents to identify compliance and support to ensure your practice is compliant, you may reach out to Tony Haux or Tim Olish at RiskSmart Advisors for more information.