Concentra and QCA Health Plan Learn A Costly Lesson

Posted: May 16, 2014
Share This:

Last month, the U.S. Department of Health and Human Services (HHS) reiterated its firm policy on data security, issuing companies Concentra and QCA Health Plan penalties totaling more than $1.9 million dollars.

The root of the penalty? Both organizations suffered theft of unencrypted laptops, placing patient data at significant risk.

Data encryption has long been at the forefront of the Healthcare industry, with HHS continually emphasizing the need for regular security risk analysis to prevent unnecessary data breaches. As highlighted by Susan McAndrew, OCR’s deputy director of health information privacy, during HIMSS14 earlier this year, “compliance and enforcement is really where the action is going to be” in 2014, giving healthcare professionals and organizations a clear warning for the year ahead.


A settlement of $1,725,220 was agreed between Concentra and HHS following the theft of multiple laptops from a Concentra facility. In addition to the settlement, Concentra is also financially responsible for remedial action, including:

  • the implementation of security risk analysis and management plan
  • company security awareness training
  • encryption of all devices
  • annual reports to HHS

Failure to sufficiently meet the above will inevitably result in HHS imposing additional civil monetary penalties, an action Concentra will be keen to avoid considering the cost of the initial penalty. Serving as a warning to others in the healthcare industry, the notably high penalty was imposed following Concentra’s failure to sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations.

QCA Health Plan

Similarly, healthcare insurance provider, QCA Health Plan, agreed to a settlement of $250,000 following the theft of an unencrypted laptop from an employee’s car. While data encryption was a fundamental element of the case against QCA, the penalty incurred was also a result of:

  • a lack of sufficient HIPAA Security policies and procedures
  • a failure to implement preventative policies and procedures
  • inadequacy in managing a security risk assessment
  • a failure to implement security measures and physical safeguards

With QCA encrypting all laptops following the data breach, remedial action focuses on security awareness training across the workforce.

While in both cases the breach was brought to the attention of HHS by the offending organizations, officials have warned that despite self-reporting, any entity that incurs a security breach should not expect leniency for declaring a violation.

For healthcare organizations the solution is clear – create and implement security policies and procedures or face hefty penalties.