Just before Thanksgiving, Lahey Hospital and Medical Center (“Lahey”), a non-profit teaching hospital located in Burlington, Massachusetts, agreed to pay $850,000 for a breach of unsecured electronic protected health information (“ePHI”). Lahey will also be required to implement a corrective action plan.
The breach occurred in 2011 when an unencrypted laptop was stolen from an unlocked treatment room. The laptop, which was used in connection with a portable CT scanner, contained the protected health information (“PHI”) of approximately 599 individuals.
OCR opened an investigation and identified several specific areas in which Lahey was lacking in HIPAA compliance, including the following: Continue Reading