HHS-150x150On Sept 2nd, 2015 Health and Human Services levied a $750k fine for the theft of an unencrypted laptop carrying 55,000 cancer patient records from Cancer Care Group, P.C.  In their ruling they cited two major concerns with Cancer Care Group, P.C.: (1) they lacked of acomprehensive risk assessment of their organization and (2) they lacked of clear set of policies including one specific to the removal of electronic media containing patient records.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Lessons Learned:  Every business with privileged or sensitive information (Credit Cards, Health Care Records, or proprietary data) needs to secure that data by first performing a detailed risk assessment of themselves to identify threats and vulnerabilities (risks), then to prioritize remediation of those risks by assessing the potential impact and likelihood of occurrence. Organizations that follow this advice are well positioned to prevent data breaches, to avoid costly fines, and to avoid a critical loss of trust in them by their clients.

Source: http://www.hhs.gov/news/press/2015pres/09/20150902a.html