US hospital pays $3.2m fine after lost device and HIPAA non-compliance
The Children’s Medical Center of Dallas has paid $3.2 million (£2.58m) to the US government after a lost device in 2009 was found to have breached HIPAA protocol.
The investigation came about after Children’s Health filed a breach report with the Office for Civil Rights (OCR) in January 2010 which indicated the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport two months earlier. In July 2013, the hospital filed a separate report stating an unencrypted laptop had been stolen from its premises during April of that year.
A statement confirming the payment issued by the Department of Health and Human Services (HHS) said the OCR investigation had revealed Children’s Health’s “non-compliance with HIPAA rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9 2013.”
It added that “despite Children’s knowledge about the risk of maintaining unencrypted ePHI (electronic protected health information) on its devices as far back as 2007, [it] issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.”
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” said Robinsue Frohboese, OCR acting director.
Back in 2013, the Information Commissioner’s Office (ICO) in the UK laid down the law following a data breach from the Royal Veterinary College (RVC). An RVC employee lost a camera which contained passport images of six potential job applicants in its memory card. In terms of healthcare, one of the more recent customer wins for VMware was to bring LCMC Health on board; a blog post at the time noted how the healthcare provider was ‘moving toward innovations such as self-serve kiosks in lobbies…and bring your own device models for medical professionals.’
“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” added Frohboese.
- » WebEx most popular enterprise app says MobileIron – yet organisational bad practices remain
- » Why enterprises who keep their IT models static will face trouble ahead
- » CISO research advocates ’30 day sprint’ to get privileged credentials up to date
- » Bitglass unveils new agentless mobile security patent, takes aim at MDM
- » 10 enterprise mobility acronyms you need to know for 2017