The US Department of Health and Human Services penalized CardioNet with a $2.5 million settlement fee, after a data breach exposed health data on 3,610 CardioNet clients, according to a resolution agreement reached between the parties this month.
Back in January and February 2012, CardioNet notified HHS of the breaches, the agreement states. The breaches occurred after an unencrypted laptop with clients' "protected health information" was stolen from a vehicle outside of a CardioNet employee's home, according to a report in InfoRisk Today.
An arm of HHS launched a federal investigation, which found indications that CardioNet failed to set security procedures in place to prevent, detect, contain, and correct security violations, as well as conduct risk analysis to determine potential vulnerabilities and risks. The company also appeared to have lacked security policies and procedures to move electronic media and hardware in and out of its facilities, such as ensuring media was encrypted, according to the agreement.
Under the agreement, there is no "admission of liability by CardioNet," and it is "not a concession by HHS that CardioNet is not in violation of the HIPAA Rules and not liable for civil money penalties."
Read more about CardioNet's agreement here.