The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HONI’s settlement, reached last Friday, stems from a June 2010 incident when an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients was stolen from an employee’s vehicle.
For anyone still agonizing over deploying full disk encryption (FDE) on any device that handles protected data: Stop. It. Now. Just buy it. Yes, maybe the breach will happen to the other guy. Maybe the fines will hit the other guy. But clearly HHS wants to make examples of some folks, and you don’t want them to pick you.
By the way, if you are worried about FDE costing a bunch of extra money, I’ll let you in on a little negotiating tactic. If you use Vendor X for endpoint protection, invite the rep in for a visit. Then strategically leave a mug from Competitor Y on you desk. Or maybe even give the rep coffee in the other vendor’s mug. Is that tacky? Sure, but it sends a clear message that you have options for endpoint protection. Which you do.