Alaska's Department of Health and Social Services has agreed to pay a $1.7 million fine for shoddy security practices that led to the exposure of personal and confidential medical records.
The settlement stems from the Oct. 12, 2009, theft of a portable hard drive belonging to an IT worker for the DHSS. The 120-gigabyte portable drive, reportedly stolen from the worker's vehicle, contained the personal information of 501 state Medicaid beneficiaries, SC Magazine reported.
Because the records on the drive were not encrypted, the state had to file a report with the U.S. government to comply with the Health Information Technology for Economic and Clinical Health Act. A subsequent investigation into the breach exposed the DHSS' slack security practices, which included its failure to conduct a risk analysis or implement measures to secure its devices.
The U.S. government said the DHSS also failed to deploy adequate risk management practices or train its employees about security awareness, all of which violate the Health Insurance Portability and Accountability Act.
No reports of fraud have been linked to the lost USB drive, but as Chet Wisniewski from the security firm Sophos wrote, "This goes to show that our governments are similarly inept at data protection as the private sector."