Recently, the U.S. Department of Health and Human Services (HHS) concluded its investigation on the Lifespan Health System data breach, which took place in 2017. As a result, the non-profit health system based in Rhode Island has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the HHS and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop.
The breach affected 20,431 individuals. In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring.