EMC and a Connecticut-based hospital have agreed to pay the state $90,000 to resolve an investigation dating back to 2012 regarding the theft of a laptop containing unencrypted patient data.
According to an “Assurance of Voluntary Compliance” agreement signed by both companies, the laptop was stolen from the home of an employee of EMC Corporation, whom was contracted by Hartford Hospital on a project relating to analyzing patient data. Although the laptop was never recovered, the hospital stated it had found no evidence that any of the protected health information (PHI) or other data was misused. Following the incident, the hospital notified the 8,883 state residents whose information was on the stolen laptop, and offered credit monitoring services, as well as identity theft insurance coverage. As part of the settlement signed earlier this month, the hospital agreed to undertake several corrective measures, such as continuing to provide additional training and awareness for its workforce, as well as implementing enhanced security measures. Hartford Hospital spokeswoman Rebecca Stewart told The Connecticut Mirror:
“After the incident occurred in 2012, Hartford Hospital put into place several educational and procedural changes. These include remedial education, new policies, operational checklists, enhanced mandatory compliance training, more robust training modules regarding privacy, new contract templates and additional contracting procedures.”
Similarly, the agreement requires EMC to “maintain reasonable security policies for employees relating to the storage, access, and transfer of PHI outside of EMC premises.” The company will also provide employee training, and periodically assess the effectiveness of its internal controls. However, The Connecticut Mirror reported that the agreement will not be considered as an admission by EMC and Hartford Hospital of any alleged violations relating to the incident.
