JUNEAU -- Alaska's health department has agreed to a $1.7 million settlement over its compliance with a federal patient privacy law.
The settlement with the U.S. Department of Health and Human Services stems from the 2009 theft of an external hard drive from a state computer technician's vehicle. The settlement was announced Tuesday.
The state agency reported the theft, which was investigated by the U.S. health department's Office for Civil Rights. The investigation found evidence the state agency did not have adequate policies and procedures to protect electronic patient information and had not addressed encryption requirements set out under the law, among other things.
Thor Ryan, chief security officer for Alaska's health department, said Wednesday that the agency is implementing the corrective steps called for by the settlement. A third party will monitor the state's compliance efforts and report back to the Office for Civil Rights. Ryan said the state also will have to pay the cost of the monitor.
Susan McAndrew, deputy director for health information privacy with the Office for Civil Rights, said the enforcement action doesn't focus specifically on the stolen device but rather on the findings of the investigation. The state agency disputes at least one of the findings -- that it didn't have a completed risk analysis.
Ryan said the agency was in the midst of an encryption project when the hard drive was stolen and security and privacy procedures also were being reviewed. No information has been recovered since the theft and, to the agency's knowledge, no patient information was compromised, he said.
It's still not known what, if anything, was on the drive, which had been used for three divisions within the agency, Ryan said. The division that works with Medicaid was not among those, an agency spokeswoman said.
A news release announcing the settlement said the state agency agreed to corrective action to properly safeguard electronic information of Medicaid beneficiaries. Alaska's health department is the state agency that administers Medicaid.
As part of the settlement, the state agency acknowledges no liability.