Mobile Device Data Breach Leads to $3 Million HIPAA Settlement

While there’s been a lull in 2019, the data breach and regulatory-related fines from the Department of Health and Human Services do keep piling up.

Earlier this month, the University of Rochester Medical Center (URMC) agreed to a $3 million settlement with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). More than the $3 million fine, however, is the significant amount of ongoing “corrective action” that the healthcare organization has agreed to undergo as part of the HIPAA (Health Insurance Portability and Accountability Act) violations.

As self-described on its website, the URMC is one of the nation’s leading academic medical centers and is “the centerpiece of the University of Rochester’s health research, teaching and patient care missions.” The University of Rochester Medical Center is a private, coeducational, nonsectarian, and nonprofit research university.

The medical center includes Strong Memorial Hospital, the Eastman Institute for Oral Health, the University of Rochester School of Medicine and Dentistry faculty practice, and the University of Rochester School of Nursing.

According to the OCR, the URMC filed breach reports with the OCR in both 2013 and 2017 following the discovery that protected health information had been disclosed in violation of HIPAA. First in the loss of an unencrypted flash drive and theft of an unencrypted laptop.

The OCR says it investigated the breaches and found that “URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.”

According to OCR, OCR conducted an investigation into URMC concerning a similar breach that involved a lost unencrypted flash drive. The OCR says it provided technical assistance to URMC in that case. “Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices,” OCR said.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect," Severino said in a statement.

In addition to the monetary settlement, URMC will undertake a corrective action plan that requires two years of monitoring their HIPAA compliance. The agreement and requirements between URMC and OCR can be found here.

According to the agreement, the URMC will have to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by URMC. And then, within 90 days, URMC will provide to HHS a statement of work for the SOW, which will be approved or amended by HHS.

Then, within 30 days of HHS providing any technical guidance, both parties will meet and review the risk assessment plans. That process will continue until there’s an approved risk assessment statement of work. The URMC will also develop and implement a risk management plan, implement a process for evaluating environmental and operational changes, establish risk management policies and procedures, distribute these updated policies and procedures, provide security training, and more.

So far there’s only been one less HIPAA fine levied (8) in 2019 compared to the nine in 2018, but the fine totals are, so far, considerably lower. There have been, including URMC, $12.9 million in fines compared to $28.6 million in 2018.