Lifespan, Rhode Island’s largest health-care network, has agreed to pay $1.04 million to the federal Department of Health and Human Services’ Office for Civil Rights to settle potential privacy and security violations related to the 2017 theft of a hospital employee’s laptop.

The laptop contained protected information including the names, medical record numbers, demographic information, and medication information of 20,431 patients, according to a statement released Monday by the Office of Civil Rights (OCR). Lifespan officials said in a statement that there is no indication that any patient information has been accessed or used by anyone as a result of the theft.

The $1.04 million payment is to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

The federal investigation into the breach determined that there was “systemic noncompliance with the HIPAA rules including a failure to encrypt laptops after Lifespan... determined it was reasonable and appropriate to do so,” the statement said. Federal investigators also found that Lifespan lacked proper “device and media controls” and related business associate agreements.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality,’’ Roger Severino, director of the federal OCR said in a statement. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.” 

In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. 

As part of the settlement, Lifespan has agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. 

The laptop was stolen from a car on Feb. 25, 2017. Lifespan said at the time that the employee immediately contacted law enforcement and reported the theft to the company. 

Lifespan reported the theft to federal authorities on April 25, 2017. No Social Security numbers, financial information, diagnoses or other clinical information were stored on the stolen laptop, Lifespan said in a 2017 statement announcing the breach.

"Lifespan takes these situations very seriously and deeply regrets the incident occurred,'' the company said in a statement. "Both prior to the incident and over the past three years we have taken several steps to further enhance our tactics to protect the security and confidentiality of patient information."

Lifespan's network includes four hospitals: Rhode Island Hospital, Hasbro Children's Hospital, The Miriam Hospital and Newport Hospital.

--story updated at 3:38 PM

-Lynn Arditi, health reporter, can be reached at larditi@thepublicsradio.org.