Healthcare News & Insights

Alaska DHSS fined $1.7 million after data breach

The second largest settlement for HIPAA violations so far has some lessons for healthcare organizations. 

The Alaska Department of Health and Social Services (DHSS) recently agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle possible violations of HIPAA regulations. That’s the largest HIPAA fine issued since a $2.25 million settlement involving CVS Casemark Co. in 2009.

The HHS first investigated the DHSS after it reported that a portable hard drive containing the personal health information of 2,000 people was stolen from an employee’s car.

The investigation concluded that the department failed to have the proper policies and procedures in place to protect sensitive health information. Specifically, the DHSS failed to:

  • Complete a risk analysis and implement sufficient risk management measures
  • Train employees on how to handle personal health information
  • Control employees’ use of portable storage devices, and
  • Encrypt drives and devices that held sensitive information.

The settlement underlines the importance of two powerful tools healthcare organizations have available to protect patient data: staff training and data encryption.

First, the employee whose car was broken into should have been taught not to carry sensitive data on an easily lost or stolen portable storage drive, let alone leave it in an unattended vehicle. Second, the drive should have been encrypted so whoever ended up with the device would not be able to access any of the data.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.