Texas Hospital Fined $3.2 Million for HIPAA Violations

If you refuse to comply with HIPAA Rules, you risk being fined. And if you continue to break the rules even when you know better, that fine is probably going to be huge.

Such is the case with a $3.2 million fine levied against the Children’s Medical Center of Dallas earlier this month. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the penalty on Feb. 1, 2017.

The fine is based on the hospital’s “impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule,” according to the release.

Back in 2010, the pediatric hospital acknowledged the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport. The phone contained protected health information for 3,800 people. Then in July of 2013, an unencrypted laptop containing info for 2,462 individuals was stolen.

“Despite the fact that Children’s clearly knew about the importance of encrypting patient data after the 2009 breach, it continued to issue unencrypted BlackBerry devices to its nurses and allowed employees to use unencrypted laptops and other mobile devices until the 2013 breach,” according to this eSecurity Planet story.

According to the release, “OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013.  

“Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.”

The OCR’s acting director, Robinsue Frohboese, weighed in on the matter:

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” Frohboese said. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

What’s the takeaway for companies? For their story, eSecurity Planet interviewed Alertsec CEO Ebba Blitz, who said it’s critical that IT departments make sure all portable devices are encrypted “as these not only store data locally, they can also be the gateway into the network,” she said. “The best way to be on top of this is to either manage all devices in-house and not let anyone use their own device, or have a clear strategy for how to mitigate the risks of BYOD (Bring Your Own Device).”

She also added that “password protection is not the same as encryption.”

 

Is your business covered for a data breach?

Get Covered

Image: Pexels