The U.S. Department of Health and Human Services (HHS) this week announced that Massachusetts Eye and Ear Infirmary has agreed to pay $1.5 million to settle potential HIPAA Security Rule violations.

"Two years ago, while a doctor was travelling abroad, his unencrypted laptop -- containing information on roughly 3,500 patients, including patients’ prescriptions and other clinical information -- was stolen," writes Threatpost's Christopher Brook. "According to an alert then, the laptop contained no billing information but did contain patients' names, addresses, telephone numbers, emails and other identifiable information. While it was never confirmed that any patients had their information breached, the hospital still informed HSS of the incident and an investigation was initiated."

"The resulting federal investigation indicated that Massachusetts Eye and Ear had 'failed to take necessary steps to comply with certain' Security Rule requirements, including ensuring data maintained on portable devices, such as laptop computers, was protected from unauthorized users and that procedures were in place for identifying and reporting data security incidents," writes Bloomberg's Kendra Casey Plank.

"In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices," Leon Rodriguez, director of the HHS Office for Civil Rights, said in a statement. "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."