The University of Rochester Medical Center (URMC) will pay a $3 million penalty to the Department of Health and Human Services’ Office for Civil Rights (OCR), wrapping up two investigations into potential patient privacy violations which began in 2013 and 2017 respectively.
URMC voluntarily filed the violations after failing to adhere to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, first by losing protected health information on an unencrypted flash drive, and next by losing an unencrypted laptop with similar sensitive data.
OCR’s investigation ruled that URMC has made an insufficient effort to minimize the risks to personal data being shared, and that the medical center lacked a comprehensive risk action plan. Part of the settlement agreement mandates that URMC undergo a risk analysis and develop and implement a risk management plan.
The U.S. Department of Health and Human Services’ (HHS) press release referenced a 2010 incident when URMC was investigated after reporting a lost unencrypted flash drive, saying that URMC “permitted the continued use of unencrypted mobile devices” despite being aware of the risks involved.
Director of external communications for URMC Chip Partner says this is incorrect.
“Since 2010 it has been improper and against policy to store protected health information on an unencrypted device.” Partner said. He added that regarding the breaches, “the employees involved were in violation of that policy.”
In the future, Partner said, technological changes could be made to limit the ability of people to store private information on personal devices.
“The medical center is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach,” Partner wrote in an email. He said in an interview: “We already believe that we have strong systems in place and we’re going to use this settlement to make them stronger.”
