The failure to encrypt mobile devices results in a hefty settlement.
The University of Rochester Medical Center will pay a $3 million settlement to the federal government for losing an unencrypted flash drive and a laptop computer that contained patient information.
The flash drive was lost in 2013, and the laptop in 2017, and though URMC filed breach reports for both incidents, the Department of Health and Human Service's Office for Civil Rights said the hospital's response was inadequate.
OCR said the hospital "failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so."
URMC spokesman Chip Partner said the affected patients were notified at the time both incidents occurred.
"We have no reason to believe that any patient’s personal health information was misused," he said.
This was not the first HIPAA violation for URMC. OCR said the hospital failed to take sufficient corrective action in 2010 with a similar breach involving another lost unencrypted flash drive.
OCR said RUMC did not learn from that error and continued to permit the use of unencrypted mobile devices.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," OCR Director Roger Severino said in a media release. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
Along with the settlement, URMC will adopt a corrective action plan that includes two years of monitoring for HIPAA compliance.
Partner said URMC "is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach."
"As part of the settlement with HHS, we will undertake a comprehensive audit of security practices and implement any corrective actions needed to ensure our safeguards are as strong as possible," he said.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk.”
OCR Director Roger Severino
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.
The flash drive was lost in 2013, and the laptop in 2017 and HHS said the hospital's response was inadequate.
HHS said the hospital failed to take sufficient corrective action in 2010 with a similar breach involving another lost unencrypted flash drive.
URMC said the affected patients were notified at the time both incidents occurred, and there's no indication that personal health information was misused.