A mobile health company has reached a $2.5 million settlement with the Department of Health and Human Services, in the first case of its kind involving the protection of health records.
CardioNet, a Malvern, Pa.-based subsidiary of BioTelemetry that operates a mobile monitoring system for patients diagnosed with cardiac arrhythmia, will pay the settlement for not properly securing sensitive patient data and for possibly violating federal privacy laws.
The settlement, which was announced on Monday, coincides with a boom in mobile health technology and an uptick in cyber attacks against health care providers. In 2015, for instance, hackers stole the health records of millions of people covered by the health insurer Anthem.
Health care records are one of hackers’ favorite targets because they can be used to fraudulently bill insurers and obtain medical equipment for resale, among other illegal activities, federal prosecutor Kathryn Haun and Eric J. Topol, a professor at the Scripps Research Institute, wrote in a New York Times opinion piece.
The Government Accountability Office found in August that hacks into electronic health records affecting at least 500 people skyrocketed from zero instances in 2009 to 56 instances in 2015.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” Roger Severino, director of the HHS’s Office for Civil Rights, which led the probe, said in a statement. “Failure to implement mobile device security by covered entities and business associates puts individuals’ sensitive health information at risk.”
The case stems from January 2012, after the theft of a CardioNet company laptop containing the private information of 1,391 patients. The company failed “to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of the health records, the resolution with HHS states. It also failed to implement policies safeguarding electronic health records from being disclosed by its employees.
Under the settlement, CardioNet has to review cybersecurity risks, form a plan to counter cyberthreats and revise its company security policies and training program. It must also show compliance with the plan for two years. The settlement is not an admission of wrongdoing.