The Alaska Department of Health and Social Services (DHSS) will shell out $1.7 million (£1.1 million) to settle violations of the HIPAA Security Rule.
The breach occurred in October 2009 when thieves stole a portable USB stick containing the personal information of 501 state Medicaid beneficiaries.
As covered healthcare entities must report any breach of protected health information (PHI) affecting 500 or more people to the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), this department has been hit with a hefty fine.
In this case, the settlement was based not on the number of victims, but by the Alaska agency's apparently shoddy information security practices it had in place.
Healthcare security regulators said that based on an investigation, which included an onsite visit, it found that DHSS failed to conduct a risk analysis, deploy adequate risk management practices, complete security awareness training of its employees or implement measures to control and secure its devices.
This marked OCR's first HIPAA enforcement action against a state agency. Rachel Seeger, an OCR spokeswoman, told SC Magazine US: “The enforcement action does not specifically focus on the stolen portable electronic device, but rather the findings of the investigation.”
The OCR launched a breach notification website in February 2010 as a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a bill that promotes the use of health information technology. HITECH, passed as part of the 2009 economic stimulus bill, is intended to strengthen the protection of identifiable health information by expanding the scope of HIPAA, the Health Insurance Portability and Accountability Act.
Seeger said HITECH instituted a formalised, tiered system for penalties, with investigated entities facing up to $50,000 per violation.
Chester Wisniewski, senior security advisor at Sophos Canada, said: “Unfortunately this goes to show that our governments are similarly inept at data protection as the private sector. The good news is no fraud has been reported related to the loss of this hard drive and this was an opportunity for the department to discover the lack of compliance before another incident occurs.”