$2.5 Million Settlement Involving Wireless Health Services Provider

On April 24, 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced that CardioNet, a Pennsylvania-based supplier of Mobile Cardiac Outpatient Telemetry, had agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act. As part of the settlement, CardioNet agreed to pay $2.5 million and to implement a corrective action plan.

On January 10, 2012, and February 27, 2012, CardioNet notified OCR of breaches of unsecured electronic protected health information affecting 1,391 and 2,210 individuals, respectively.

OCR’s subsequent investigations revealed that the following conduct occurred:

  • “CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities.”
  • “CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015.”
  • “CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.”

For more information, please visit https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html or contact Heather Skelton of Gardner Skelton PLLC.