Failure to Encrypt Mobile Devices Leads to $3M HIPAA Settlement
Violations, whether actual or potential, of the Health Insurance Portability and Accountability Act (HIPAA), continue to have a meaningful impact on organizations. One recent example is The University of Rochester Medical Center (URMC) agreement to pay $3 million to the Office for Civil Rights (OCR). URMC filed breach reports with the OCR in 2013 and 2017 for the discovery of the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively, both of which contained protected health information (PHI). The article noted that in 2010 the OCR investigated URMC for a similar breach involving a lost unencrypted flash drive. Even though URMC identified the lack of encryption as a high risk to PHI, they permitted the continued use of unencrypted mobile devices, which resulted in the 2013 and 2017 disclosures of the loss and theft. This is an important example of the meaningful impact regulatory action can have on an organization for cyber-related incidents. Despite these severe penalties, many organizations continue to utilize unencrypted laptops and mobile devices, leaving themselves more vulnerable in the event of a cyber incident.
There are several reasons why an organization may not encrypt laptops or mobile devices, which include:
- The perceived disruption caused to an individual or department.
- The organization is unaware of a device’s existence.
- Lack of knowledge around the potential risk.
The Office for Civil Rights Director, Roger Severino, explains that “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk.” He expands by adding, “when covered entities are warned of their deficiencies but fail to fix the problem, they will be held fully responsible for their neglect."
Organizations should focus on this potential threat and take action to encrypt all laptops and mobile devices. While the potential financial impact for a cyber incident, including unencrypted devices to an organization is apparent, there are other considerations, which include the following:
- In this case, URMC agreed to a corrective action plan, which includes two years of monitoring the organization’s HIPAA compliance.
- Failing to encrypt portable devices can potentially preclude coverage under some cyber insurance policies. It is important to be aware of your policy’s limitations in terms of encryption.
Speak to a trusted advisor to review these limitations.