Lost Phone Exposes HIPAA Risk Management Failure
Have you ever lost your phone? It’s inconvenient and annoying. But that’s usually the end of it. But what if your lost cell phone wasn’t password protected? All of your emails, text messages, photos, and files would be visible to the world. That happened in Texas – but it wasn’t just any cell phone… it was a hospital-owned cell phone. And it wasn’t text messages visible to the world. It was thousands of identifiable medical records.
In early 2010, Children’s Medical Center of Dallas reported that an unencrypted, non-password protected cell phone was lost at the Dallas-Fort Worth International Airpot. The device contained the private medical records of 3,800 patients.
It was an astounding breach. And then, three years later, it happened again. This time, it was an unencrypted laptop containing the medical records of 2,642 patients.
A Texas-Sized Risk Management Plan Gap
Those security breaches violated the Health Insurance Portability and Accountability Act. Sharing protected Electronic Health Information (EPHI) with unauthorized parties, even unintentionally, is illegal.
In the three years between losing the devices, Children’s implemented some minor security updates including adding a lock to the door of the room where mobile devices are stored. They also added a camera to monitor that door.
To the Office for Civil Rights (OCR), the agency responsible for investigating HIPAA violations, those measures weren’t enough. Children’s was fined $3.2 million.
Electronic Protected Health Information Penalties Are Messages To The Community
In most cases, the monetary payment to OCR is a settlement between the offender and the government. In the case of Children’s, it was a punishment.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
Particularly offensive to OCR was, according to the investigators, Children’s failure to learn from its past mistakes. The hospital had apparently been warned, as early as 2007, against distributing unencrypted devices to nurses and continued assigning unprotected devices to staff through 2013.
Read more about the Children’s Hospital breach here.
Is your medical staff walking around with unencrypted devices? If you aren’t sure, let’s talk.