In a refrain that should sound familiar, the HHS Office for Civil Rights (OCR) last month announced a new settlement agreement with a covered entity (CE) that it said failed to complete an acceptable security risk analysis and to encrypt its mobile devices.
OCR’s attempts to collect $4.358 million from the University of Texas MD Anderson Cancer Center is its most notable action related to lack of encryption, with the fine still the subject of ongoing litigation.[1] OCR pinned the new settlement[2] with the University of Rochester Medical Center (URMC) on incidents that occurred in 2013 and 2017—but also which harkened back to one from 2010. Legally, the 2010 loss is too old to be factored into a penalty as the statute of limitations is six years.
The agency said URMC notified it on May 6, 2013, that an unencrypted flash drive was “lost” on Feb. 15, 2013. In the settlement documents, OCR did not say how many patients were affected by this breach. However, according to an entry on OCR’s breach notification website, an incident on that date involved electronic protected health information (ePHI) for 537 patients, and URMC’s public breach notice at the time provided more details.
URMC said that a “resident physician misplaced a USB computer flash drive that carried PHI. The flash drive was used to transport information used to study and continuously improve surgical results. The information was copied from other files and so its loss will not affect follow-up care for any patients.”[3]
The PHI consisted of “names, gender, age, date of birth, weight, telephone number, medical record number, orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure, and complications, if any.” URMC added that no addresses, Social Security number or insurance information was on the flash drive.
URMC said in 2013 that the flash drive “is believed to have been lost at a URMC outpatient orthopaedic facility. After an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry. A search of the laundry service, which works exclusively with hospital/medical facilities, also failed to locate the drive,” it said.