HIPAA violations lead to multimillion-dollar penalties

November 12, 2019

A pair of HIPAA violations garnered more than $4 million in penalties.

A pair of healthcare providers are facing hefty fines after they failed to protect patients’ medical records, according to news releases from the U.S. Department of Health & Human Services.

The University of Rochester Medical Center (URMC) will pay $3 million to the Office of Civil Rights (OCR) and take action to correct and settle potential violations of HIPAA privacy and security rules as part of a settlement announced November 5.

URMC filed reports of information breaches with OCR after finding protected health information had been disclosed without permission through the loss of an unencrypted flash drive in 2013 and the theft of an unencrypted laptop in 2017, according to a release.

Upon investigation, OCR found that URMC failed to conduct an enterprise-wide risk analysis, implement security measures which would sufficiently reduce risk and vulnerabilities, utilize data and media controls, and encrypt and decrypt electronic protected health information, the release said.

In 2010, URMC was investigated by OCR for a lost unencrypted flash drive. OCR provided technical assistance in that instance.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," says Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

OCR has also imposed a $1.6 million civil money penalty against the Texas Health and Human Services Commission (TX HHSC) for violating HIPAA privacy and security rules between 2013 and 2017, according to a November 7 news release.

The Department of Aging and Disability Services (DADS), which was reorganized into TX HHSC in September 2017, reported a breach in June 2015 saying the electronic protected health information of 6,617 patients were viewable over the internet. The information included names, addresses, social security numbers, and treatment information.

It was caused by an internal application being moved from a private, secure server to a public server. A flaw in the software code allowed access to the information without the proper credentials. Due to DADS’ failure to conduct an enterprise-wide risk analysis and failure to implement access and audit controls on its information there is no way to determine how many unauthorized individuals were able to access the information.

"Covered entities need to know who can access protected health information in their custody at all times," Severino says. "No one should have to worry about their private health information being discoverable through a Google search."