"[One] investigation involved a breach of 599 individuals' protected health information (PHI) when an unencrypted laptop was stolen from a workstation.... The significant failures within [a second] compliance program included a lack of administrative, physical, and technical safeguards to protect PHI, a failure to conduct an adequate risk analysis of all applications using ePHI, and impermissible use or disclosure of PHI to outside vendors and within mailings. [A third] investigation involved a breach of approximately 90,000 individuals' ePHI after an employee fell prey to a phishing email and opened an attachment containing malware.... Although the three settlements involved different types of a breach, a common theme ... is that the covered entity failed to perform a comprehensive risk analysis."  MORE >>