Alaska's Medicaid office will pay $1.7 million to the U.S. Department of Health and Human Services (HHS) for possible violations of a federal law that protects patient privacy, HHS announced Tuesday.

The HHS Office of Civil Rights began investigating potential violations of the federal Health Insurance Portability and Accountability Act (HIPAA) after the Alaska Department of Health and Social Services (DHSS), which runs the state's Medicaid program, issued a breach report. The state agency had found that a DHSS employee's hard drive that may have contained protected health records of Medicaid beneficiaries had been stolen, HHS said in a release.

HHS concluded that the Alaska Medicaid office did not have sufficient policies and procedures to protect patient information. For example, the state health department had not completed a risk analysis for patient data, instituted security training for state workers or implemented data encryption efforts that are required by HIPAA.

In addition to the $1.7 million payment, HHS and Alaska have crafted an action plan to correct those mistakes. A monitor will report to HHS on the state's ongoing compliance status.

Data breaches are a growing concern as more state agencies and health-care providers move toward electronic health records. Since HIPAA took effect in 2003, more than 22,000 complaints of violations have been filed with HHS, Kaiser Health News reported earlier this month. More than 40 percent of medical data breaches have involved portable media devices, such as laptops or hard drives -- as in the case of Alaska.