New York health system to pay $3M HIPAA settlement

Data breach
The University of Rochester Medical Center's settlement is one of the biggest fines so far this year involving violations of the HIPAA privacy and security rules. (tashka2000/Getty)

The University of Rochester Medical Center (URMC) is paying a $3 million settlement for potential security and privacy violations.

The settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is one of the biggest fines so far this year involving violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

URMC is one of the largest health systems in New York state with over 26,000 employees and includes the School of Medicine and Dentistry and Strong Memorial Hospital. 

Webinar This Week

Optimizing Healthcare Operational Excellence to Drive Care Transformation

Join us in this webinar to learn how organizations have leveraged modern technology to enable transformative innovation and continuous improvement across their operations resulting in overall cost savings, process optimization, and clinical improvements.

According to OCR, the health system reported a data breach in 2013 following the loss of an unencrypted flash drive that contained patients' protected health information (PHI). URMC reported another breach in 2017 when an unencrypted personal laptop of one of its resident surgeons containing PHI was stolen from a treatment facility. 

RELATED: Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

Following the breaches, OCR investigated the health system's compliance with HIPAA rules. That investigation found that URMC lacked security measures sufficient to reduce risks and vulnerabilities and failed to conduct an enterprise-wide risk analysis. The health system also failed to utilize device and media controls and did not encrypt and decrypt ePHI when it was reasonable and appropriate to do so, OCR said.

Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to the health system. Despite the previous OCR investigation and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices, according to HHS.

RELATED: Jackson Health hit with $2.2M penalty for HIPAA violations including breach of NFL players' record

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," OCR Director Roger Severino said in a statement. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

In addition to the $3 million settlement, URMC also will take corrective action including two years of monitoring their compliance with the HIPAA rules.

Suggested Articles

Workers’ contributions to their health plan premiums and deductibles increased at a faster rate than wages over the past decade.

The Trump administration released its regulatory agenda that includes estimates on when major rules on drug prices and interoperability will be out

David Feinberg, M.D., head of Google Health, posted a blog post and video Tuesday to directly address growing concerns about the Ascension data deal.