Providence, R.I.-based Lifespan will settle a potential HIPAA violation related to a stolen laptop for just over $1 million, according to an HHS news release.
On April 21, 2017, Lifespan Corp., the health system's parent company and business associate, reported an employee's unencrypted laptop had been stolen. The laptop included protected health information such as patient names, medical records and demographic information.
There were 20,431 individuals affected by the breach.
The Office for Civil Rights conducted an investigation and found the health system had systemic noncompliance with HIPAA rules, including failure to encrypt electronic protected health information as well as a lack of device and media controls. The health system also didn't have a business associate agreement with Lifespan Corp..
Lifespan will undergo a corrective action plan and be monitored for two years as part of the settlement.
More articles on cybersecurity:
University of Utah Health reports data breach affecting 10,000 patients
CVS Pharmacy loses 21,289 patients' information after vandalism
North Carolina medical clinic to pay $25K settlement over multiple HIPAA violations