Succession of Breaches Results in $3.2M HIPAA Penalty Against Hospital

A 2013 laptop theft led to a $3.2 million Health Insurance Portability and Accountability Act (HIPAA) penalty against a Dallas hospital, after the U.S. Department of Health and Human Services (HHS) determined that it had failed to address known security risks for years beforehand.

In July 2013, Children’s Medical Center of Dallas reported to HHS that an unencrypted laptop with electronic protected health information (e-PHI) on 2,462 patients had been stolen from its premises that April. Although the hospital had some physical safeguards on the laptop storage area, it allowed entry by employees not allowed to access e-PHI.

On investigating the breach, HHS’ Office for Civil Rights (OCR) found that Children’s had failed to implement risk management plans, despite prior external recommendations to do so, or to deploy encryption or a reasonable alternative on its laptops and mobile devices until after the 2013 incident.

Children’s was warned as early as 2007 about the risk of maintaining unencrypted e-PHI on its devices, and in 2010 reported the loss of a BlackBerry with e-PHI on 3,800 individuals, OCR alleged. Yet the hospital kept issuing unencrypted mobile devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR Acting Director Robinsue Frohboese said in a February 1 statement. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

OCR fined Children’s $1,000 for each individual’s PHI disclosed in the 2013 breach, up to the annual statutory limit of $1.5 million, and $1,000 per day from September 30, 2010, until April 9, 2013, for violating the “Access Controls (Encryption)” standard of HIPAA’s security rule (a total of $923,000).

The hospital also was assessed $1,000 per day for violating the “Device and Media Controls” standard between September 30, 2010, and November 9, 2012 (a total of $772,000). “Children’s did not implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility,” OCR explained in a September 30, 2016, proposed penalty determination.

Children’s did not request a hearing of the proposed determination, so OCR issued a final determination on January 18, and the hospital paid the full civil monetary penalty (CMP) of $3,217,000. This is only the third actual CMP imposed by the agency, which usually reaches some kind of settlement with a health plan or provider accused of HIPAA violations.

HIPAA privacy and security penalties can pile up rapidly since the HITECH Act was enacted in 2009. The $1,000 per violation assessed by OCR was actually the minimum allowable penalty under the statute for a violation that was “due to reasonable cause and not willful neglect.”

Insurer Breach Leads to $2.2M HIPAA Settlement

In a separate case, a Puerto Rico insurer agreed to pay $2.2 million to settle OCR allegations stemming from the theft of a USB data storage device (pen drive) from its IT department, where the device allegedly was left without safeguards overnight. According to the breach report filed in September 2011 by MAPFRE Life Insurance Co., the pen drive contained complete names, birth dates, and Social Security numbers on 2,209 individuals.

OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative on its laptops and removable storage media until 2014. MAPFRE also failed, or was late to implement, other corrective measures that the company had informed OCR it would undertake, the agency alleged.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR Director Jocelyn Samuels said January 18 in announcing the settlement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

Along with the monetary payment, MAPFRE agreed to corrective actions such as conducting a risk assessment and risk management plan for submittal to HHS, implementing a process to evaluate operational and environmental changes, and updating its policies and procedures on various security controls.