Home » Research Center's Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

Cyber Security NewsCyberSecurity Newswire

Research Center's Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

Healthcare Data Compliance: Maintaining Integrity, Privacy and Security

November 7, 2019

The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for the data breaches it suffered during 2013-2017.

In addition, URCM agreed take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, says a HHS press release. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees, notes the release.

URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively.

According to HHS, OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

You must login or register in order to post a comment.

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.

Poll

Emergency Communications

View Results

Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Security Magazine

2020 January

This month, Security magazine highlights the importance of establishing the right metrics for your security program. Also, we highlight Eric Clay, Director of Public Safety for CoxHealth, and discuss how to build a successful K-9 Program and rethink "red flags" to prevent insider threat attacks. Industry leaders discuss this year's Presidential Election security and 2020 predictions for the security industry.

View More Create Account

Research Center's Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

Related Articles

Related Products

Related Events

Report Abusive Comment