HIPAA Horror Stories

The Texas-Sized Failure

one-minute read

Lost Phone Exposes HIPAA Risk Management Failure

Have you ever lost your phone? It’s inconvenient and annoying. But that’s usually the end of it. But what if your lost cell phone wasn’t password protected? All of your emails, text messages, photos, and files would be visible to the world. That happened in Texas – but it wasn’t just any cell phone… it was a hospital-owned cell phone. And it wasn’t text messages visible to the world. It was thousands of identifiable medical records.

In early 2010, Children’s Medical Center of Dallas reported that an unencrypted, non-password protected cell phone was lost at the Dallas-Fort Worth International Airpot. The device contained the private medical records of 3,800 patients.

It was an astounding breach. And then, three years later, it happened again. This time, it was an unencrypted laptop containing the medical records of 2,642 patients.

A Texas-Sized Risk Management Plan Gap

Those security breaches violated the Health Insurance Portability and Accountability Act. Sharing protected Electronic Health Information (EPHI) with unauthorized parties, even unintentionally, is illegal.

In the three years between losing the devices, Children’s implemented some minor security updates including adding a lock to the door of the room where mobile devices are stored. They also added a camera to monitor that door.

To the Office for Civil Rights (OCR), the agency responsible for investigating HIPAA violations, those measures weren’t enough. Children’s was fined $3.2 million.

Electronic Protected Health Information Penalties Are Messages To The Community

In most cases, the monetary payment to OCR is a settlement between the offender and the government. In the case of Children’s, it was a punishment.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Particularly offensive to OCR was, according to the investigators, Children’s failure to learn from its past mistakes. The hospital had apparently been warned, as early as 2007, against distributing unencrypted devices to nurses and continued assigning unprotected devices to staff through 2013.

Read more about the Children’s Hospital breach here.

Is your medical staff walking around with unencrypted devices? If you aren’t sure, let’s talk.

 

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU