Sunday, February 12, 2017

Children’s Medical Center of Dallas pays $3.2M fine after lost device, HIPAA non-compliance

The Children’s Medical Center of Dallas has paid $3.2 million (£2.58m) to the United States government after a lost device in the year of 2009 was found to have breached HIPAA protocol or HIPAA non-compliance.

The inquiry came about after Children’s Health filed a breach report with the Office for Civil Rights (OCR) in the year of January 2010 which demonstrated the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport 2 months earlier. In the year of July 2013, the hospital submitted a separate report stating an unencrypted laptop had been stolen from its premises during April of that year. Children’s Medical Center of Dallas has paid $3.2 million fine after lost device and HIPAA non-compliance.

A statement confirming the payment released by the Department of Health and Human Services (HHS) claimed that the OCR investigation had disclosed Children’s Health’s “HIPAA non-compliance rules, particularly, a failure to execute risk management plans, contrary to prior external suggestions to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until the day of April 9 2013.”

It added that “despite Children’s information about the risk of maintaining unencrypted ePHI (electronic protected health information) on its devices as far back as the year of 2007, [it] issued unencrypted BlackBerry devices to nurses and permitted its workforce members to continue using unencrypted laptops and other mobile devices until the year of 2013.”

Children’s Medical Center of Dallas has paid $3.2 million fine after lost device and HIPAA non-compliance.

“Ensuring precise security precautions to secure health information, involving recognizing any security risks and instantly correcting them, is important,” claimed Robinsue Frohboese, OCR acting director.

Back in the year of 2013, the Information Commissioner’s Office (ICO) in the UK laid down the law following a data breach from the Royal Veterinary College (RVC). An RVC employee lost a camera which consisted of passport images of 6 potential job applicants in its memory card. In terms of healthcare, one of the more recent customer wins for VMware was to bring LCMC Health on board; a blog post at the time noted how the healthcare provider was ‘moving toward innovations like self-serve kiosks in lobbies…and bring your own device models for medical professionals.’

“However OCR prefers to settle cases and assist entities in executing corrective action plans, a deficiency of risk management not merely costs individuals the security of their data, but it can also cost covered entities a sizable fine,” added Frohboese.

 

No comments:

Post a Comment