NY Hospital Pays $3 Million HIPAA Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on November 5 that the University of Rochester Medical Center (URMC) agreed to pay $3 million to settle violations of the HIPAA Privacy and Security Rules. URMC is one of the largest health systems in New York State, with more than 26,000 employees.

URMC filed breach reports with OCR in 2013 when an unencrypted flash drive was lost and in 2017 when an unencrypted laptop was stolen. In each incident, patients’ protected health information (PHI) was found to have been impermissibly disclosed. OCR’s investigation revealed that after both breaches, URMC failed to conduct an enterprise-wide risk analysis, implement proper security measures, and encrypt electronic PHI.

Prior HIPAA violations by URMC may have been factors in the severity of the new penalty. URMC reported the loss of an unencrypted flash drive in 2010, and reached a $15,000 settlement with the New York State Attorney General’s Office in 2015 after it inappropriately shared with a departing employee a spreadsheet containing information on more than 3,400 patients.

URMC’s Resolution Agreement incorporates a Corrective Action Plan requiring its HIPAA compliance to be monitored for two years.