The U.S. Department of Health and Human Services has levied a big fine against a maker of wireless devices for heart patients for violating patient privacy laws and exposing patient data.

The Office for Civil Rights, the arm of the U.S. Department of Health and Human Services that enforces compliance with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which ensures patient confidentiality in medical records, has fined CardioNet Inc. $2.5 million for a 2012 incident in which an employee’s laptop computer was stolen from an unlocked car.

The laptop contained electronic health data on 1,391 individuals, the company says. It’s unclear if the patient data on the laptop was encrypted.

“CardioNet failed to safeguard the disclosure of protected health information by its employees thereby permitting access to the information by an unauthorized individual and failed to take steps to immediate correct the exposure,” says the Office of Civil Rights.

In January 2012, CardioNet reported the theft of the laptop to the Office for Civil Rights. The government says its investigation revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. “CardioNet’s policies and procedures implementing the standards of the HIPAA security rule were in draft form and had not been implemented,” the government says.


CardioNet, which develops remote mobile monitoring products and services for rapid response to patients at risk for cardiac arrhythmias—an abnormal heart rhythm—has yet to speak publically about the fine. But it did sign an agreement with the government saying it will pay the fine and implement a series of tougher HIPAA compliance procedures that will be reviewed by the company and the Office for Civil Rights on a regular basis.

Roger Severino, director of the Office for Civil Rights says the fine is the first against a mobile healthcare company. “Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss,” Severino says. “This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”