It appears that the US HHS is adopting the UK approach of heavy fines for small data breaches [TA 10 Aug]. $1.5 million was the cost of the HHS-Office of Civil Rights (OCR) penalty against Massachusetts Eye and Ear Infirmary, a teaching hospital of Harvard for a 2010 theft of an unencrypted laptop. According to Privacy Rights Clearinghouse (the easiest place to research data breaches), the breach involved 3,526 records–and no SSI numbers. This ‘gotcha’ is similar to the June agreement by the Alaska Department of Health and Social Services to pay HHS-OCR $1.7 million to resolve the theft of an unencrypted storage device that allegedly contained data on about 500 Medicaid patients. Editor Donna wonders what penalty the August theft of 55,000 records on a server backup from Cancer Care Group of Indianapolis, Indiana will reap, since it reportedly contained the motherlode: names, birth dates, insurance information and SSI numbers. Another Big Fine After a Small Breach (HealthcareInfoSecurity) And where HHS is, class action lawsuits follow. A recent Florida state appellate court ruling might lead to the first US class action lawsuit involving a health data breach to move to trial. This involves the December 2009 theft of unencrypted laptops from the AvMed health plan of Gainesville, which contained the personal information of 1.2 million current and former members–two members subsequently experienced identity theft. Breach class action suit advances.