Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach

This is an HHS press release of a settlement agreement with Lisespan Health System Affiliated Covered Entity to resolve potential violations of the HIPAA Privacy and Security Rules related to the theft of an unsecured laptop.

Final

Issued by: Office for Civil Rights (OCR)

Issue Date: July 27, 2020

FOR IMMEDIATE RELEASE
July 27, 2020

Contact: HHS Press Office
202-690-6343
media@hhs.gov

Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop.  Lifespan ACE includes many healthcare provider affiliates in Rhode Island, and has designated itself as a HIPAA affiliated covered entity.1

On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan ACE, filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop containing electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.

OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director. 

In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf - PDF*.

* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.

Footnotes

  • 1. Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of 45 CFR Part 164. See 45 CFR 164.105(b)(1).

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.