University of Rochester Medical Center hit with $3M fine for breaches

The University of Rochester (N.Y.) Medical Center has been hit with a $3 million settlement fine and a two-year corrective action plan for two technology-related breaches.

The organization filed the breach report with the HHS Office for Civil Rights after discovering that protected health information was disclosed through the loss of an unencrypted flash drive. In 2017, the organization again filed a breach report after an unencrypted laptop was stolen.

University of Rochester Medical Center_Strong Memorial-CROP.jpg

Now, the organization is paying the settlement fee and is entering a two-year corrective action plan to OCR for failures to conduct an enterprise risk analysis, implement security measures to reduce risks to an appropriate level, employ device and media controls, and use a mechanism to encrypt and decrypt electronic protected health information when reasonable and appropriate.

In assessing the penalty, OCR mentioned that the organization failed to increase its vigilance in protecting data after the first incident.

Also See: Providers not using encryption enough for data in the cloud

“Despite the previous OCR investigation and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices,” OCR explains.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” adds Roger Severino, director of the Office for Civil Rights. “When covered entities are warned of their deficiencies but fail to fix the problem, they will be held fully responsible for their neglect.”

University of Rochester Medical Center is one of the largest healthcare systems in New York State with more than 26,000 employees. Additional information on the settlement was not immediately available.

For reprint and licensing requests for this article, click here.