EMC, hospital to pay $90,000 over stolen laptop with medical data

EMC and Hartford Hospital have agreed to pay US$90,000 to Connecticut in connection with the loss in 2012 of an unencrypted laptop containing patient information of 8,883 residents of the state, according to the state's attorney general.


The laptop was stolen from the home of an employee of EMC and was never later recovered, according to an "Assurance of Voluntary Compliance" signed by EMC and the hospital with Attorney General George Jepsen.
EMC had been hired as a contractor to the hospital to assist it on a quality improvement project relating to analyzing patient data. The employee had been employed by a company that was acquired by EMC and received the laptop that was stolen from that company.

EMC reported the theft to local law enforcement as well as to the hospital and although the laptop was not found, the hospital has held that there hasn't been any evidence of misuse of the information, the agreement states.
The data contained in the laptop included what is described as protected health information (PHI) under the federal Health Insurance Portability and Accountability Act, better known as HIPAA. "The responsibilities of those who maintain and use personal information under HIPAA and Connecticut's privacy laws are clear and are appropriately intended to protect the privacy of the patients," Jepsen said in a statement Friday.

The agreement will, however, not be considered as an admission by EMC and the hospital of any alleged violations in connection with the laptop incident.

EMC is required to continue to tighten its policies to encrypt PHI when stored on laptops and other devices and also when the data is transmitted across wireless or public networks. It is also required to have "reasonable security polices" for employees in connection with the storage, access and transfer of PHI outside EMC premises, and have policies and procedures for responding to incidents of unauthorized acquisition, access, use or disclosure of such information.

Hartford Hospital has also committed to a variety of measures including privacy and security controls when data is shared with vendors. EMC and the hospital could not be immediately reached for comment.

An EMC spokeswoman told the Connecticut Mirror that "resolving things by agreement was the best course for all involved."

Dell said in October it would acquire EMC in a cash-and-shares deal that valued the company at $67 billion.