A stolen laptop containing research subjects’ personal information will cost one medical research institute close to $4 million dollars to settle the resulting HIPAA case, according to the Office for Civil Rights (OCR), the federal agency that enforces HIPAA.
The Feinstein Institute for Medical Research in New York has agreed to pay $3.9 million to settle potential HIPAA violations stemming from a stolen laptop. OCR began investigating the institute after the computer, which contained protected health information (PHI) of about 13,000 patients and research participants, was stolen from an employee’s car. The investigation uncovered numerous deficiencies in Feinstein’s handling and protection of PHI, according to a news release.
More information, including a link to a copy of the resolution agreement with additional details, is available here. As you read this, think about the data protection measures described in the protocols you either carry out, if you’re a researcher, or review, if you’re an IRB member. Also think about how deeply unpleasant it must be to have to have the, “Um, we need a whole bunch of money to settle this HIPAA case” talk with the Powers That Be at the institution.