EMC, Hospital Settle With Conn. Over Laptop Theft

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Martha W. Kessler

Nov. 10 — Hartford Hospital and EMC Corp. agreed to pay $90,000 and implement additional control measures to resolve an investigation by Connecticut Attorney General George Jepsen into the 2012 theft of a laptop containing the unencrypted health information of approximately 8,900 state residents.

Rebecca Stewart, a spokeswoman for Hartford Healthcare, told Bloomberg BNA Nov. 10 that the hospital voluntarily entered into the resolution with the attorney general’s office and that to date, there is no evidence that any of the information has been misused.

An EMC spokeswoman Nov. 10 told Bloomberg BNA that the company has “fully cooperated” with Jepsen’s office during its review of the matter. “While EMC believes it did not violate any laws, resolving things by agreement was the best course for all involved,” the company said.

According to the state, the protected health information (PHI) of patients was contained on a laptop that was stolen from the home of an EMC employee who had been retained by the hospital to assist on a quality improvement project.

Training Required 

Under the terms of the Assurance of Voluntary Compliance announced Nov. 6, both the hospital and EMC agreed to implement or continue new training requirements and other policies in response to the breach.

“The responsibilities of those who maintain and use personal information under HIPAA and Connecticut's privacy laws are clear and are appropriately intended to protect the privacy of the patients,” Jepsen said in a Nov. 6 statement.

“All healthcare providers and any contractors who work with healthcare providers should pay close attention to these responsibilities and review their internal controls and policies to ensure that they're doing all they possibly can to comply with the law and to keep this information safe.”

The hospital also agreed to a number of corrective measures to ensure that contractual agreements are properly executed with vendors, that minimum privacy and security controls are instituted when PHI will be shared with a vendor and created new contract templates that incorporate applicable provisions of the Health Insurance Portability and Accountability Act.

The agreement with the attorney general also requires EMC to maintain reasonable policies requiring the encryption of all PHI stored on laptops or other portable devices and transmitted across wireless or public networks and to maintain reasonable polices for employees relating to the storage, access and transfer of PHI outside of EMC premises.


To contact the reporter on this story: Martha Kessler in Boston at mkessler@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com