URMC pays $3M fine for failure to encrypt mobile devices

Featured image

Share this article

URMC pays $3M fine for failure to encrypt mobile devices

The University of Rochester Medical Center (URMC) has paid a $3 million fine for its non-compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC is one of the largest health systems in New York State and includes the School of Medicine and Dentistry and Strong Memorial Hospital.

URMC filed two separate breach reports with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) in 2013 and 2017. 

On February 15, 2013, URMC lost an unencrypted flash drive that contained its patients’ protected health information (PHI). On January 26, 2017, URMC again notified OCR that an unencrypted personal laptop of one of its surgeons that contained 43 PHI records was stolen from its facility. 

OCR’s investigation of the breaches 

As a result of these data breaches, OCR conducted investigations that revealed that URMC had disregarded HIPAA compliance rules in both instances. 

During their audit, OCR uncovered that UCMR failed to:

  • conduct an enterprise-wide analysis of the potential risks to the confidentiality and availability of all PHI patient records in URMC’s physical and virtual custody
  • implement security measures sufficient to reduce risks and vulnerabilities
  • utilize device and media controls in its facility
  • encrypt and decrypt electronic protected health information (ePHI) to a reasonable level to comply with HIPAA

UCMR was also considered a repeat offender as OCR had previously investigated an occurrence of a lost unencrypted flash drive in 2010. At the time, the agency provided UCMR with technical assistance to correct the issue.  

Conclusion

Roger Severino, OCR Director released a firm statement that said “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

In addition to the $3 million settlement that UCMR has agreed to pay, OCR also directed UCMR to undertake a corrective action plan that includes two years of monitoring their compliance with HIPAA rules.  

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022