Case Study of Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc.
The US Department of Health & Human Services released information about MEEI’s HIPAA Case in September 2012.
The incident involved an employee storing patient health information on an unencrypted laptop which was then stolen from the employee.
After an investigation, the Department of Health & Human Services determined that MEEI was in violation of the following:
1. They weren’t conducting risk assessments
2. They didn’t have policies or procedures on portable devices.
3. They didn’t have any access control policies.
4. They had a chronic disregard for security and didn’t take information security seriously.
As a result, they agreed to pay a 1.5 million dollar fine. They will also be subject to semi-annual independent audits for the next three years, and they will have to implement the action plan created by the auditing agency.
