Lack of Encryption & Other HIPAA Breaches Leads to $1m HIPAA Penalty for Lifespan

The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE)after identifying systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system located in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was submitted with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the unauthorized removal of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of a staff member in a public parking lot and was broken into. A laptop was removed that was holding data including patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR reviewed the breach and found systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had completed a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE ruled that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to configure encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also found that Lifespan ACE had not created policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a thorough inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had neglected to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in breach of 45 C.F.R. § 164.502(e).

Due to the compliance failures, Lifespan ACE was responsible for the impermissible sharing of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and implement a thorough corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, configure encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and processes must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

Roger Severino, OCR Director, said: “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves” .


Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: