The University of Rochester Medical Center entered into a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights for failing to secure two different mobile devices.
Protected health information (PHI) was impermissibly released when a flash drive and unencrypted laptop was stolen from the Medical Center. The HHS investigation determined that the Medical Center did not complete a risk analysis and did not have security policies to prevent against the loss or theft of mobile devices containing PHI. The Medical Center knew about the risk as they encountered a breach in prior years and failed to follow HHS earlier warnings on HIPAA compliance.
The Medical Center agreed to pay $3 million and enter into a 2-year corrective action plan. The action plan required a full-scale risk analysis, updated policies and procedures, device and media controls and workforce training.
