November 7, 2019
One lost flash drive and one stolen laptop are costing one hospital system $3 million because both mobile devices were not encrypted. The University of Rochester Medical Center (URMC) has agreed to pay the large fine to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and also take substantial corrective action to settle potential HIPAA violations.
URMC is one of the largest health systems in New York State with over 26,000 employees and includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital.
According to the HHS report issued this week, URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop.
OCR’s investigation confirmed that the ePHI of 43 patients was contained on the stolen laptop and as a result of the theft, that information was impermissibly disclosed. OCR also determined that URMC had failed to conduct a comprehensive, organization-wide risk analysis that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.
This recent incident was the second time OCR investigated URMC. In 2010, concerning a similar breach involving a lost unencrypted flash drive, the OCR provided technical assistance to URMC. Despite that previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
A risk analysis failure is the most common HIPAA violation cited in OCRs enforcement actions even though the risk analysis is one of the most important elements of HIPAA compliance.
PrivaPlan’s innovative solutions for completing a HIPAA Risk Analysis have been field tested since the HIPAA Security Rule took effect in 2005 and conducted for physician practices, hospitals, community health centers and health agencies, public health departments and business associates with great success. Contact us today for more information.