• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity
    2. HIPAA

    U of Rochester Medical Center Pays $3M Fine for Device Encryption Failures

    Nov. 6, 2019

    The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) to settle potential HIPAA violations around failures to encrypt mobile devices.

    The health system, based in Rochester, N.Y., filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively, according to a press release from OCR, which operates with the U.S. Department of Health & Human Services (HHS).

    OCR's investigation then revealed that URMC “failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.”

    Of particular note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices, federal officials attested.

    URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital, and is one of the largest health systems in New York State with over 26,000 employees.

    "Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," Roger Severino, OCR Director, said in a statement. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

    In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

    Continue Reading

    Sponsored Recommendations

    Data-driven, physician-focused approach to CDI improvement

    Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

    Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

    In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...

    Case Study: Intermountain Healthcare - AI-powered physician engagement to drive quality care

    Health System profile Intermountain Healthcare is a Utah-based, nonprofit health system composed of 24 hospitals, 225 clinics, a medical group with 3,000 employed physicians and...

    10 Reasons to Run Epic on Pure

    Gain efficiency & add productivity to your Epic data center. Download now to learn more!