Small healthcare data breaches can result in significant fines

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA).  The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients, but the penalty included non-compliance areas such as the hospice’s failure to perform a risk analysis and the lack of mobile device security policies and procedures.  This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.

HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size.  “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of healthcare breaches.  According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last three years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients.  These businesses should be prepared not only for the cost of notification, lost customers, breach response, and remediation but also HHS fines in the years ahead.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

1 Comments

  1. Our website has been experiencing security breaches over the past two years most of which are minor but recently there were some data promises.

Leave a Reply