Cybersecurity, Emerging Issues in Security

Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

The University of Rochester Medical Center (URMC) agreed to pay $3 million to the U.S. Department of Health and Human Services (HHS) and take substantial corrective action to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, HHS announced November 5.

Doctor using a tablet PC

Rob Hyrons / Shutterstock.com

URMC, one of New York state’s largest health systems, filed breach reports with the HHS Office for Civil Rights (OCR) in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively.

On investigating, the OCR determined that URMC had failed to:

  • Conduct an enterprisewide risk analysis;
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
  • Utilize device and media controls; and
  • Employ a mechanism to encrypt and decrypt electronic protected health information (e-PHI) when it was reasonable and appropriate to do so.

In particular, the OCR noted, back in 2010 it had investigated URMC concerning a similar breach involving a lost unencrypted flash drive, at which time the agency provided technical assistance. In spite of that, and URMC’s own identification of a lack of encryption as a high risk to e-PHI, the health system permitted the continued use of unencrypted mobile devices, the OCR alleged.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino in announcing the settlement. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

Corrective Action

The corrective action plan (CAP) incorporated into the resolution agreement requires URMC to complete a risk analysis and risk management plan, revise its policies and procedures accordingly, and distribute them to all employees to whom they apply. URMC also must implement a process for evaluating environmental and operational changes.

Once HHS approves the revised policies and procedures, URMC must train its workforce members accordingly and have them certify completion as a condition of PHI access. The CAP also requires URMC to report any violations of the policies and procedures to HHS within 60 days, and submit initial and annual “implementation reports” attesting to compliance with the agreement at all locations.

Other OCR Settlements

The URMC settlement came amid a flurry of big-ticket HIPAA privacy and security cases. The OCR also announced a $1.6 penalty against the Texas Health and Human Services Commission (TX HSSC) based on a 2015 incident where e-PHI on more than 6,000 individuals became viewable on the Internet.

The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to e-PHI without access credentials. OCR’s investigation determined that the Department of Aging and Disability Services, which later became part of TX HSSC, failed to conduct an enterprise-wide risk analysis and implement the required access and audit controls on its information systems and applications.

A few weeks earlier, the OCR penalized Jackson Health System in Miami more than $2 million for a series of privacy and security breaches over a period of years, including a media leak of a professional football player’s medical records.

David Slaughter David A. Slaughter, JD, is a Senior Legal Content Specialist for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar. Questions? Comments? Contact David at dslaughter@blr.com for more information on this topic.