$3 Million HIPAA Settlement for Failure to Encrypt Mobile Devices

On November 5, 2019 the Office for Civil Rights (OCR), government HIPAA enforcement agency, revealed details of a substantial Corrective Action and payment of $3 Million HIPAA settlement made by the University of Rochester Medical Center (URMC). URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.

When URMC filed their 2013 and 2017 HIPAA Breach Reports with the OCR, OCR opened an investigation. The breach involved protected health information (PHI) which had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop.

About OCR’s investigation

The investigation revealed that URMC failed to:

  • Conduct an enterprise-wide risk analysis;
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
  • Utilize device and media controls; and
  • Employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.

Historically, OCR states they investigated URMC concerning a similar breach in 2010 involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.