Stolen Laptop Leads to Heavy Fine

Protecting Patient Information

As a health care attorney who represents Colorado physicians, dentists, medical and dental practices, and other healthcare professionals and practices in various legal issues, I am always on the alert for new legal issues that could potentially affect my clients.

With the fast roll of technology and its impact on the medical field, it’s important for doctors, physician assistants, nurses, and other healthcare professionals to ensure that they have upgraded their security protocols to adequately shield patients’ medical information.

Casual measures meant to protect patient privacy may not satisfy the U.S. Department of Health and Human Services definition of acceptable privacy practices, as a Boston medical center recently discovered.

Stolen Computer Results in $1.5 Million Fine

  • Last September, the Massachusetts Eye and Ear Infirmary (MEEI) agreed to pay a $1.5 million fine to the Department of Health and Human Services to settle “potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule,” according to the news release on
  • While traveling, a doctor’s laptop was stolen along with the unencrypted medical information of 3,500 patients. Although no billing information was acquired by the thieves, the patients’ prescription and clinical information was readily available.
  • “In addition to the $1.5 million settlement, the agreement requires MEEI to adhere to a corrective action plan, which includes reviewing, revising, and maintaining policies and procedures to ensure compliance with the Security Rule.
  • An independent monitor will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.”

Preempting Data Theft

While the transportation of unencrypted medical data, in this instance, may be viewed as unusually careless, it has become increasingly common. With more and more medical data being viewed and stored on personal media devices such as laptops, tablets, smart phones, portable backup hard drives, flash drives, et cetera, there is a greater risk of information being downloaded or viewed on a device outside of a secure network.

A single breach in patient privacy puts an entire practice at risk of censure and fines from the Department of Health and Human Services.

As a Colorado medical professional attorney, I recommend for my clients to institute strict security protocols for not only the data itself, but for the devices used to store and transport HIPAA protected patient information.

It’s also important to train the partners and employees in a practice as new technology comes on line. Not every security breach is an act of willful indifference. In many cases, the doctor or nurse or other staff member is unaware that he or she is putting the patients’ medical information at risk.

There are many measures healthcare practices and professionals can take to reduce the risk of unintended disclosures of patient information. As an attorney representing healthcare professionals, I would much rather have my clients contact me before disaster strikes, thereby protecting patient information, maintaining compliance with HIPPA, and avoiding the costly process of defending against claims or negotiating settlements.

This article is for informational purposes only and should not be taken as legal advices. No attorney client relationship is formed by reading this article. If you would like specific legal advice about your situation or other healthcare legal issues you may contact Philip M. Bluestein, Esq. at (720) 420-1777.