• FREE RESOURCES
        • Accounts Payable
          Finally! The trick to securing greater T&E compliance
          Benefits
          Rooting out folks who don’t belong on your health plan: A 6-point dependent audit checklist
          IT
          3 costly misconceptions about biz email compromise
          Credit and Collections
          Collecting via email: 4 must-make moves in your subject line
          Accounts Payable
          5 Tough-to-spot signs that an invoice is fake
  • PREMIUM CONTENT
        • Staff management
          120 Proven Communications Tips for Today’s CFO
        • Payroll
          Handling Nonexempt Employee Pay: Stay Compliant and Avoid DOL Audits
          Accounts Payable
          T&E Best Practices: Complete Guide to Ensure Compliance
          Payroll
          Payroll Best Practices: 4 Ways to Save Time and Money
        • Staff management
          Email Best Practices: A 6-Question Quiz
          Staff management
          Innovative Communications Strategies: An Email Case Study
          Staff management
          A 5-part Framework for Successful Workplace Communications
        • SEE MORE
          PREMIUM RESOURCES
  • CORONAVIRUS RESOURCES
  • LOGIN
  • SIGN UP FREE

CFO Daily News

  • FREE RESOURCES
        • Accounts Payable
          Finally! The trick to securing greater T&E compliance
          Benefits
          Rooting out folks who don’t belong on your health plan: A 6-point dependent audit checklist
          IT
          3 costly misconceptions about biz email compromise
          Credit and Collections
          Collecting via email: 4 must-make moves in your subject line
          Accounts Payable
          5 Tough-to-spot signs that an invoice is fake
  • PREMIUM CONTENT
        • Staff management
          120 Proven Communications Tips for Today’s CFO
        • Payroll
          Handling Nonexempt Employee Pay: Stay Compliant and Avoid DOL Audits
          Accounts Payable
          T&E Best Practices: Complete Guide to Ensure Compliance
          Payroll
          Payroll Best Practices: 4 Ways to Save Time and Money
        • Staff management
          Email Best Practices: A 6-Question Quiz
          Staff management
          Innovative Communications Strategies: An Email Case Study
          Staff management
          A 5-part Framework for Successful Workplace Communications
        • SEE MORE
          PREMIUM RESOURCES
  • CORONAVIRUS RESOURCES
  • Accounts Payable
  • Credit and Collections
  • Payroll
  • Accounting
  • Benefits
  • Finance Technology
  • More
    • Employment Law
    • Strategy
    • Policy and Culture
    • Fraud
    • Payments and Transactions
    • Budgeting and Forecasting
    • Banking
    • Staff Management
    • Cost Control
    • Supply Chain
    • IT

One stolen laptop cost this company $850K

Tim Gould
by Tim Gould
December 17, 2015
  • Policy and culture
3 minute read
  • SHARE ON

Never doubt the importance of securing devices both physically and with encryption. Failing to do so could end up costing a bundle.  

That lesson was learned the hard way by Lahey Hospital and Medical Center in Burlington, MA. The story dates back more than four years to when a seemingly minor theft led to a huge fine.

Unprotected storage area

Lahey first reported that a laptop was stolen from an unlocked treatment room in the hospital on Oct. 11, 2011. The unencrypted laptop contained electronic protected health information (ePHI) for 599 individuals, so the theft was reported to the U.S. Dept. of Health and Human Services (HHS).

HHS found that Lahey failed to conduct an accurate analysis of risks to ePHI, didn’t have procedures for moving equipment with ePHI around or out of the facility, failed to have unique usernames and tracking information for those who used the workstation and more.

Just last month, the terms of a settlement with HHS was announced. And it was a doozy.

As a result of the agreement, Lahey is required to:

  • pay a fine of $850,000
  • conduct an organization-wide risk analysis of all the equipment and services that it owns, leases or controls
  • develop or revise written policies and procedures on transporting or removing hardware and electronic media that maintain ePHI
  • install programs that “record and examine activity in information systems that contain or use workstations that maintain ePHI utilized in connection with diagnostic/laboratory equipment”
  • train users who deal with ePHI on its policies and procedures, and more.

While encryption alone may not have been enough in this case, it’s important to remember: Encrypting devices with access to this sensitive information could go a long way to preventing a nightmare situation like this.

Plenty of offenders

This hospital is by no means the first one to run afoul of the Health Insurance Portability and Accountability Act of 1996 (HIPPA).

According to the Verizon 2015 Protected Health Information Data Breach Report, physical breaches of PHI were the most common in the past year with 677 total incidents. That was followed by errors (524 incidents), misuse (362), hacking (215), malware (110), and social (50).

The top three incident patterns for this compromised information was lost and stolen assets, privilege misuse and miscellaneous errors.

What it means for everyone

This isn’t just an issue for health providers. Anyone looking to keep data safe needs to have plans for its safe transfer and physically storing the devices.

But having policies isn’t enough. You need to make sure users follow them every time as well. Some keys for doing so:

  • Discipline violations. Companies need to be sure users are complying with their policies. And disciplining and documenting any violations of these policies is essential to being sure they’re actually being followed rather than being paid lip service.
  • Make it personal. Tie your policies into how your workers would like to be treated. Ask them to think about how furious they would be with a company that revealed their personal information online. Then remind your users it’s not a faceless corporation that loses data, it’s individuals like themselves.
  • Train every level. Security training is an absolute must, not just for newly hired employees. In fact, the more tenure an employee has, the more information they’re generally privileged to access. That makes retraining and regular security reminders a must.

Keep Up To Date with the Latest Finance News

With CFO Daily News arriving in your inbox, you will never miss critical stories on accounting, benefits, payroll & employment law strategies.

Sign up for a free CFO Daily News membership and get our newsletter!
  • This field is for validation purposes and should be left unchanged.
CFO Daily News Logo
  • ABOUT CFO DAILY NEWS
  • ADVERTISE WITH US
  • WRITE FOR US
  • CONTACT
  • Accounting
  • Benefits
  • Payroll
  • Policy and Culture
  • Employment Law
  • Fraud
  • Finance Technology
  • Accounts Payable
  • Credit and Collections
  • Strategy
  • Payments and Transactions
  • Budgeting and Forecasting
  • Banking
  • Staff Management
  • Cost Control
  • Supply Chain
  • IT

CFO Daily News, part of the SuccessFuel Network, provides the latest Finance and employment law news for Finance professionals in the trenches of small-to-medium-sized businesses. Rather than simply regurgitating the day’s headlines, CFO Daily News delivers actionable insights, helping Finance execs understand what Finance trends mean to their business.

Privacy Policy Terms of Service
Copyright © 2021 SuccessFuel

WELCOME BACK!

Enter your username and password below to log in

Forget Your Username or Password?

Reset Password

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.

Log In

preloader