Dermatology Practice that Lost Patient Data will Pay $150,000 Fine

Article Information


0 people have recommended this story.


This content comes from Conomikes Associates Inc., a resource on practice management tips for community physicians, practice managers and medical office staff for more than 20 years.

In September 2011, someone broke into the locked car of an employee of Adult & Pediatric Dermatology in Concord, Massachusetts, and stole a computer bag.

Inside the computer bag was a thumb drive containing information on approximately 2,200 patients who had undergone Mohs surgery. The thumb drive was unencrypted. It was as if 2,200 paper charts had fallen off a truck and fluttered down the highway.

Last week, the U.S. Department of Health and Human Services (HHS) announced that the practice had agreed to pay the government $150,000 as part of a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement does not amount to admission of liability by the practice nor a concession by HHS that the law had not been broken.

The 12-physician practice also agreed to analyze the security risks of its computer systems and electronic media and then develop a plan to improve security.

An HHS investigation found that Adult & Pediatric Dermatology had not performed a thorough analysis of its digital vulnerabilities until a year after the thumb drive was stolen, according to the settlement. In addition, HHS said that the practice “did not reasonably safeguard” the unencrypted thumb drive.

This practice could have avoided this fine by following two simple procedures:

  1. No individual, physicians included, should be permitted to download any patient data and take it off site.
  2. All patient data, when downloaded, should be encrypted.