A large New York State health system disregards mobile data warnings and pays a huge price.
When it comes to electronic patient health information (ePHI) and mobile data security, some folks never seem to learn their lessons.
Back in 2010, the University of Rochester Medical Center (URMC), one of New York State’s largest health systems, was warned that its lax data management systems were putting patient privacy at risk.
Almost 10 years ago, the Office for Civil Rights (OCR), the federal agency responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) violations, discovered URMC had misplaced an unencrypted flash drive containing the private health records of some of its 26,000 patients.
That violation led to OCR offering URMC technical assistance to ensure such a breach never happened again.
Two mobile data breaches despite OCR warnings
Despite the 2010 warnings, in 2013 and 2017 URMC reported breaches involving the loss of yet another unencrypted flash drive AND an unencrypted laptop containing ePHI.
OCR’s investigation revealed that URMC failed to perform basic tasks associated with responsible mobile data management, leading to serious HIPAA violations. Those tasks include:
- conducting an enterprise-wide risk analysis
- implementing sufficient security measures
- utilizing device and media controls
- employing reasonable encryption and decryption technology
This time, OCR came down hard, forcing URMC to pay a whopping $3 million to settle the mobile data violations.
“When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect,” said OCR Director Roger Severino.
In addition to the monetary payment, URMC must undergo a comprehensive two-year corrective action plan requiring the Health System to:
- conduct a risk analysis
- develop a risk management plan
- develop a plan to address changes to URMC’s security environment
- revise its policies and procedures
- provide privacy training
What’s your mobile device data encryption policy? If your answer is less-than-comforting, we’re here to help.