New York medical center charged $3 million in HIPAA penalty

The University of Rochester Medical Center (URMC) recently paid a $3 million civil monetary penalty to the Office for Civil Rights (OCR) for HIPAA violations that include failing to encrypt mobile devices. URMC is one of the largest health systems in New York with more than 26,000 employees.

OCR launched an investigation following receipt of two breach reports from URMC. The medical center filed one report in 2013 after the loss of an unencrypted flash drive and another in 2017 following the theft of an unencrypted laptop.

OCR’s investigation revealed that in both cases, URMC failed to:

• Conduct an enterprise-wide risk analysis
• Employ a mechanism to encrypt and decrypt electronic protected health information when it was appropriate to do so
• Implement security measures sufficient to reduce risks and vulnerabilities
• Utilize device and media controls

Notably, OCR investigated URMC in 2010 concerning a similar breach that involved a lost flash drive. Despite this previous investigation, which led URMC to identify a lack of encryption as a high risk area, URMC continued to permit the use of unencrypted mobile devices.

In addition to paying the monetary penalty, URMC has agreed to adopt a corrective action plan to address all aspects of noncompliance identified by OCR. The resolution agreement and corrective action plan can be viewed here.