West Georgia Ambulance, Inc. (West Georgia) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $65,000 no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
On February 11, 2013, West Georgia submitted a breach report to OCR describing a breach that occurred on December 13, 2012, when an unencrypted laptop fell off the back bumper of an ambulance. The laptop was not recovered and West Georgia reported that exactly 500 individuals were affected by the breach.
OCR’s investigations into this incident revealed that West Georgia failed to:
1. Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI;
2. Have a HIPAA security training program and provide security training to its employees; and
3. Implement Security Rule policies or procedures.
According to the settlement announcement, despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.