$3M settlement reached in URMC HIPAA case involving stolen flash drive, laptop
The center also agreed to take substantial corrective action after protected health information was disclosed in separate 2013 and 2017 breaches
by EMS1 Staff
ROCHESTER, N.Y. — The University of Rochester Medical Center has agreed to pay $3 million for HIPAA violations stemming from two stolen, unencrypted devices.
The U.S. Department of Health and Human Services announced the settlement with the Office of Civil Rights on Tuesday, adding that URMC will also take “substantial corrective action” following the breaches.
The medical center, one of New York’s largest health systems with over 26,000 employees, filed breach reports in 2013 and 2017 following the loss of a flash drive in 2013 and theft of a laptop in 2017. Both devices were unencrypted and disclosed protected health information (PHI).
An OCR investigation showed URMC failed to conduct an enterprise-wide risk analysis, implement sufficient security measures and appropriately encrypt electronic PHI.
The OCR had previously investigated URMC in 2010 for a similar incident involving a lost flash drive. The office said the center continued to use unencrypted devices afterward despite acknowledging the high risk they posed to PHI.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said OCR Director Roger Severino. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
URMC’s corrective action plan going forward includes two years of monitoring to ensure HIPAA compliance.