HIPAA Violations Involving Unencrypted Laptops Lead to $2 Million in Settlements

The HHS Office for Civil Rights (OCR) has received nearly $2 million in settlements from Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA), resulting from the loss of unencrypted laptops from the companies’ facilities. The settlements were reached to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

“Covered entities and business associates must understand that mobile device security is their obligation,” stated OCR Deputy Director Susan McAndrew in a press release. “Our message to these organizations is simple: encryption is your best defense against these incidents.”


According to the OCR’s investigation, Concentra’s previous risk analyses discovered that a lack of encryption on the company’s laptops, computers, medical equipment, and other devices that contained electronic protected health information posed a serious risk. Although the company took action to begin using encryption, its efforts were not thorough and consistent. Consequently, Concentra agreed to pay over $1.7 million to the OCR, according to the company’s resolution agreement with HHS, after an unencrypted laptop was stolen from one of the company’s physical therapy centers. Additionally, Concentra has agreed to adopt a corrective action plan to remediate the OCR’s findings, which includes: (1) a risk analysis; (2) a risk management plan; (3) evidence demonstrating implementation of planned remediation actions; (4) encryption status updates; and (5) security awareness training.


The OCR also investigated QCA, after a report of an unencrypted laptop containing the electronic protected health information of 148 people was stolen from an employee’s car. The investigation concluded that although QCA encrypted its devices after the breach was discovered, the company failed to comply with HIPAA Privacy and Security Rules from 2005 through June 2012. The company’s resolution agreement with the OCR provided that QCA shall pay a $250,000 monetary settlement. The company was also required to adopt a corrective action plan, in which QCA must: (1) update the company’s security management process, which includes a risk analysis and risk management plan; (2) provide security awareness training to staff; and (3) report any future HIPAA privacy and security violations to HHS.

“These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices,” HHS stated in its press release.