The University of Rochester (N.Y.) Medical Center has agreed to pay $3 million to HHS' Office for Civil Rights to settle potential HIPAA violations, according to a Nov. 5 news release.
In 2013 URMC filed a data breach report with the OCR stating that an unencrypted flash drive had been stolen. Following the notice that patients' protected health information could have been exposed, the OCR offered technical assistance to URMC.
Then in 2017, URMC disclosed that an unencrypted laptop had been stolen. An OCR investigation found URMC failed to conduct enterprise-wide risk analysis, implement security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level, utilize device and media controls, and employ a mechanism to encrypt and decrypt electronic protected health information.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible."
Along with paying the $3 million settlement, URMC will also undergo a corrective action plan, including two years of HIPAA-compliance monitoring.
More articles on legal and regulatory issues:
Physician group claims West Virginia hospital owes $590K for ED services
Ex-Georgia hospital CEO convicted of 102 federal charges
Dignity Health's $100M class-action settlement is unreasonable, judge says