OCR ends 2019 advertising their $65K settlement and corrective action plan with West Georgia Ambulance, Inc (West Georgia). Their investigation began with a 2013 unencrypted laptop loss; remember when this was actually the most common cause of a breach?!
What is curious about this settlement amount is that OCR's investigation revealed West Georgia didn't conduct a risk analysis, didn't have a security training program, nor implement policy and procedures. Additionally, West Georgia allegedly didn't correct course during the investigation. This case looks like uncorrected willful neglect - so why a modest settlement was reached is a mystery. Even the corrective action plan is set for two years, which is pretty standard.
Whether $65K is a significant financial non-compliance penalty or not, it is avoidable. We recommend encrypting anything mobile. Additionally, we recommend encrypting all other potential ePHI at rest (e.g. computer workstations, etc.) or documenting what alternate security controls exist when encryption isn't deployed. More information can be found by click the OCR graphic below.