On December 26, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $150,000 settlement with Adult & Pediatric Dermatology, P.C. (“APDerm”), a private dermatology practice based in Massachusetts, following a security breach that affected approximately 2,200 individuals. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that “[c]overed entities of all sizes need to give priority to securing electronic protected health information.”

OCR initiated an investigation of APDerm following a report that an unencrypted flash drive was stolen from a vehicle owned by an APDerm staff member. The flash drive was not recovered and contained the electronic protected health information (“ePHI”) of approximately 2,200 patients of APDerm. After the investigation, OCR alleged that APDerm failed to (1) conduct a timely and thorough analysis of the risks to the confidentiality of its ePHI, (2) fully draft and implement written policies and procedures to train its workforce regarding breach notification requirements, and (3) reasonably safeguard the unencrypted flash drive that was stolen from a vehicle owned by an APDerm staff member.

Pursuant to the resolution agreement, APDerm has agreed to pay a $150,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires APDerm to:

  • conduct a comprehensive risk analysis of the security risks and vulnerabilities to the company’s ePHI;
  • develop a risk management plan based on the risk analysis, which must be approved by OCR;
  • report instances of noncompliance by its personnel with its privacy, security and breach notification policies and procedures to OCR;
  • submit an implementation report detailing how APDerm will comply with the resolution agreement and the Corrective Action Plan; and
  • retain documents related to compliance with the Corrective Action Plan for three years.

View the resolution agreement.