Lost BlackBerry and stolen laptop costs hospital $3.2M for ePHI breaches

Children’s Medical Center of Dallas, the seventh largest pediatric health care provider in the nation, paid a civil money penalty (CMP) of more than $3.2 million after two breaches of the HIPAA Security Rule revealed a lack of risk management. Children’s did not request a hearing after the HHS Office for Civil Rights (OCR) provided notification of the proposed CMP, and the OCR issued a final determination on the amount of CMP. According to an HHS press release, Children’s has already paid the CMP.

This is only the third CMP the OCR has issued in response to a HIPAA breach—CMPs are imposed only in the most egregious situations; in this case, the OCR determined that Children’s impermissible disclosure of unsecured electronic protected health information (ePHI) and noncompliance with multiple standards of the HIPAA Security Rule over many years warranted the CMP.

The two ePHI breaches came to the OCR’s attention when Children’s filed breach reports. In 2010, the loss of an unencrypted, non-password-protected BlackBerry device containing the ePHI of approximately 3,800 individuals was reported. In 2013, a separate report was filed regarding the theft of an unencrypted laptop that contained the ePHI of 2,462 individuals. The laptop theft happened despite some physical safeguards to the laptop storage area because Children’s allowed individuals who were not authorized to access ePHI to access the storage area. In its investigations following the reports, the OCR determined that Children’s failed to implement risk management plans and continued to allow members of its workforce to use unencrypted devices for years after the loss of the BlackBerry.

Because Children’s failed to timely request a hearing after the OCR provided it with the Notice of Proposed Determination, the hospital has no right to appeal the imposition of the CMP. The CMP consisted of $923,000 for access control violations; $772,000 for device and media control violations; and $1,522,000 for impermissible disclosures of ePHI.

Visit our News Library to read more news stories.