Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

  • The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
  • URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop
  • Through OCR’s investigation, it was found that URMC failed to conduct an enterprise-wide risk analysis, implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, utilize device and media controls, and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.
  • This comes after OCR investigated URMC in 2010 concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite this, URMC continued to permit the use of unencrypted mobile devices.
  • In addition to the settlement, URMC must be part of a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.