Hartford Hospital and one of its contractors have agreed to pay the state $90,000 and undertake training and security measures to resolve an investigation into the theft of a laptop containing unencrypted patient information in June 2012, according to Attorney General George Jepsen’s office.
The laptop contained protected health information for 8,883 Connecticut residents when it was stolen from the home of an employee of a Hartford Hospital contractor, EMC Corporation. The hospital had hired the company as part of a project aimed at reducing readmissions.
The laptop has never been recovered. Hartford Hospital said it has no evidence that any of the personal information was misused, according to an agreement the two companies reached with Jepsen’s office to resolve the allegations. Patients whose information was on the laptop were notified in 2012.
The agreement calls for the hospital to continue several training and security measures it undertook after the theft. Other requirements include using a combination of hardware and software to encrypt files or data containing protected health information before it is transferred; requiring each employee to certify that he or she has participated in annual privacy training; and submitting a report to the attorney general’s office in one year demonstrating that the corrective action measures are being implemented.
Similarly, the agreement requires EMC to maintain policies requiring, “if technically feasible,” all protected health information to be encrypted if stored on laptops or other portable devices and transmitted across wireless or public networks; to maintain reasonable security policies for employees on storing, accessing and transferring protected health information outside EMC premises; and to provide regular training on protecting and securing protected health information to employees who are responsible for handling it.
The agreement says it “will not be considered an admission” by either company of alleged violations related to the incident.
EMC spokeswoman Katryn McGaughey said Friday that the company had “fully cooperated with the Connecticut attorney general’s office during its review of this matter.”
“While EMC believes it did not violate any laws, resolving things by agreement was the best course for all involved. EMC remains fully committed to the privacy and data security of all customer with which it deals,” she said.
Hartford Hospital spokeswoman Rebecca Stewart said, “We treat all matters related to patient privacy and confidentiality with the utmost seriousness. After the incident occurred in 2012, Hartford Hospital put into place several educational and procedural changes. These include remedial education, new policies, operational checklists, enhanced mandatory compliance training, more robust training modules regarding privacy, new contract templates and additional contracting procedures.”