Dermatology Practice to Pay $150,000 In First-of-Kind Breach Notice Settlement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Martha Kessler  

Dec. 27 --A Massachusetts-based dermatology practice has agreed to pay $150,000 to settle claims that it violated federal privacy rules, the Department of Health and Human Services announced Dec. 26.

The pact marks the first settlement with a Health Insurance Portability and Accountability Act-covered entity for failing to have sufficient policies and procedures in place to address the breach notification provisions in the Health Information Technology for Economic and Clinical Health Act, the HHS said in a statement.

The HHS Office for Civil Rights said that Adult & Pediatric Dermatology PC (APDerm) of Concord, Mass., is also required, as part of a resolution agreement, to put in place a corrective action plan to address deficiencies in its HIPAA compliance program. The corrective action plan requires APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to the OCR.

OCR Investigation

The OCR said it opened an investigation of APDerm after receiving a report from the dermatology practice in October 2011 that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.

According to the resolution agreement, APDerm notified its patients of the theft of the thumb drive within 30 days of the theft and provided media notice at that time.

However, the OCR said its investigation revealed that APDerm hadn't conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 2012. The company also failed to have written policies and procedures in place and failed to train workforce members, as required under HIPAA rules, until February 2012, according to the OCR.

The OCR said in the agreement that it found that APDerm “impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle” of one of its workers.

“As we say in health care, an ounce of prevention is worth a pound of cure,” OCR Director Leon Rodriguez said in the statement. “That is what a good risk management process is all about--identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”

APDerm's Response

APDerm told Bloomberg BNA in a statement Dec. 27 that, “Along with protecting our patients' health and safety, protecting their privacy is our highest priority.”

The practice, which has four locations in Massachusetts and two in New Hampshire, said the stolen information didn't include any financial information or sensitive health information.

“We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient's information,” the company said.

APDerm said it is disappointed with the amount of the settlement, “given that the flash drive was never used to anyone's knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.”

The resolution agreement states that the agreement isn't a concession of liability by APDerm.


To contact the reporter on this story: Martha Kessler in Boston at

To contact the editor responsible for this story: Kendra Casey Plank at

The resolution agreement is available at

Request Bloomberg Law: Privacy & Data Security