Officials at the University of Mississippi Medical Center said Friday they have paid a $2.75 million penalty to the Office for Civil Rights of the U.S. Department of Health and Human Services as part of an agreement to resolve security problems found after the 2013 disappearance of a laptop computer that contained health information for as many as 10,000 people.
The federal agency said UMMC concluded, after an investigation, that a visitor to the intensive care unit probably stole the laptop after asking to borrow it. Because the laptop could access the medical center’s wireless network, whoever took it could get to the data after entering a generic user name and password.
UMMC officials say there is no evidence that health information was accessed or disclosed.
“We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard,” Dr. LouAnn Woodward, vice chancellor for health affairs, said in a statement.
Medical center officials thought they had taken appropriate steps to publicize the loss, but decided they didn’t have enough information to try to notify people individually, medical center spokesman Tom Fortner told The Associated Press Friday. The federal agency disagreed, saying the medical center should have tried to notify individuals.