Skip to main content

Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement

Originally posted by Dianne Bourque in Mintz Levin's Health Law & Policy Matters blog

As the old saying goes, "no good deed goes unpunished...."    The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.

Massachusetts Eye and Ear Infirmary was following the HITECH breach notification rules when it reported the theft of an unencrypted laptop in 2010.  The laptop contained the protected health information of MEEI patients and research subjects, including prescription and health information.  OCR investigated the breach and brought an enforcement action, citing MEEI for a number of HIPAA security rule violations.  Not unexpectedly, OCR was focused on laptop security and the security of portable devices generally, which has been an enforcement priority of OCR.

The MEEI enforcement provides other important reminders for covered entities:

1. Avoid breaches and breach notifications which can lead to investigations.

2. Encrypt laptops and other portable devices.

3. Keep track of portable devices.

4. The OCR trend toward seven-figure fines is continuing (the MEEI settlement was $1.5 million).

The read the MEEI resolution agreement, click here.  The related OCR press release is here.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.