The University of Rochester Medical Center (URMC) is paying a $3 million settlement for potential security and privacy violations.
The settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is one of the biggest fines so far this year involving violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
URMC is one of the largest health systems in New York state with over 26,000 employees and includes the School of Medicine and Dentistry and Strong Memorial Hospital.
According to OCR, the health system reported a data breach in 2013 following the loss of an unencrypted flash drive that contained patients' protected health information (PHI). URMC reported another breach in 2017 when an unencrypted personal laptop of one of its resident surgeons containing PHI was stolen from a treatment facility.
Following the breaches, OCR investigated the health system's compliance with HIPAA rules. That investigation found that URMC lacked security measures sufficient to reduce risks and vulnerabilities and failed to conduct an enterprise-wide risk analysis. The health system also failed to utilize device and media controls and did not encrypt and decrypt ePHI when it was reasonable and appropriate to do so, OCR said.
Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to the health system. Despite the previous OCR investigation and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices, according to HHS.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," OCR Director Roger Severino said in a statement. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
In addition to the $3 million settlement, URMC also will take corrective action including two years of monitoring their compliance with the HIPAA rules.