The Department of Health and Human Services has imposed a $3 million fine on a healthcare facility for violating the Health Insurance Portability and Accountability Act (HIPAA) by not encrypting data that was on a stolen flash drive and a stolen laptop computer.
The University of Rochester Medical Center appeared to display a pattern of not encrypting the information on its mobile devices. The flash drive was stolen in 2013 and the laptop was stolen in 2017, according to a press release from HHS. As well, URMC was also investigated in 2010 for another lost unencrypted flash drive.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, Director of the HHS’s Office of Civil Rights (OCR). “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
While the actual amount of information that was available on the mobile devices was low — the patient records of 43 individuals were on the laptop — URMC was found to have failed to conduct an enterprise-wide risk analysis, implement appropriate security measures, have proper policies and procedures in place, and encrypt protected health information.
Along with the $3 million fine, URMC has also agreed to to take corrective action to address the other shortcomings that HHS found in its investigation. That includes conducting a thorough risk analysis, developing and implementing a risk management plan, revising and re-distributing its policies and procedures, and providing additional training to its employees.