The State of Alaska is paying $1.7 million to the federal government for a 2009 security breach of patient data. A federal investigation following the breach found inferior security measures in place at Alaska’s Department of Health and Social Services. The settlement, under the patient privacy law know as the HIPAA act, is the second largest in history and the first against a state agency.
In October, 2009, a portable hard drive was stolen from the car of a computer technician who worked for the State Department of Health and Social Services. The hard drive may have contained patient data from the office of children’s services and public health, so the state was required to report its loss to the federal government. And the investigation that followed found problems with security measures the state was taking to protect patient data.
“The security lapses were fairly fundamental and fairly longstanding,” Susan McAndrew, Deputy Director for Health Information Privacy with the U.S. Department of Health and Human Services, said.
She says the investigation revealed a long list of shortcomings with the state’s security procedures. She says the settlement amount is high because the list of infractions was so long.
“The amount is reflective of the number of violations and the period of time over which they occurred,” McAndrew said.
The state of Alaska never determined whether there was in fact patient information on the hard drive. But Thor Ryan, Chief Security Officer with the State of Alaska says the state’s policy is to air on the side of caution. He says the timing of the incident was unfortunate.
“Because we were part way through an encryption project to guard against just this kind of incident. Unfortunately that particular drive had not been encrypted at the time it was stolen,” Ryan said.
The state hasn’t received any information from patients or law enforcement that anyone was impacted by the security breach. Ryan says after the incident, the department intensified its efforts to encrypt state computers and storage devices. He says the state also enhanced its security and privacy policies for employees.
“And made numerous other improvements that weren’t directly related to the theft to improve our security overall. So in short, it’s improved a lot,” Ryan said.
The only higher settlement amount over a HIPAA privacy act violation was with CVS pharmacy for $2.3 million in 2009. That case involved the improper disposal of patient information on prescription bottles. The Alaska case is the first settlement with a state. McAndrew says states are not entitled to preferential treatment when it comes to protecting patient privacy:
“The rules apply equally to both public and private entities and so we try to deal with both on an evenhanded basis.” she said.
McAndrew says the state was fully cooperative with the investigation. The state says it has already paid the settlement amount.