November 07, 2019

OCR Signals Importance of Encrypting Mobile Devices with Recent Settlement

On November 5, OCR settled with the University of Rochester Medical Center (URMC) after URMC filed two separate breach reports, revealing that PHI had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. OCR had conducted a previous investigation prior to these two breach reports concerning a similar breach at URMC involving a lost unencrypted flash drive. Despite this investigation and URMC’s identification of the risks that lack of encryption would bring to URMC, the medical center did not change its practices, and continued to use unencrypted medical devices. URMC agreed to pay $3 million to OCR and undertake a corrective action plan which includes two years of monitoring.