Children's Medical Center of Dallas was fined $3.2 million for failure to encrypt Blackberry devices, despite security gap assessments that identified the risk of data breach. This cost the hospital $3.2 million in civil money penalties, imposed by the HHS Office of Civil Rights (OCR). The hospital notified OCR of a security incident after the loss of an unencrypted Blackberry device that contained electronic protected health information (ePHI) for approximately 3,800 individuals. While this incident was being investigated, the hospital notified OCR of other security incidents involving the loss of an iPod with unencrypted ePHI for at least 22 individuals and theft of a laptop which contained ePHI for 2,462 individuals.

The OCR investigation revealed that Children's Medical Center of Dallas had commissioned two different data security assessments in the years before the loss of these mobile devices. Both security assessments identified a significant risk of a data breach of ePHI contained on unencrypted mobile devices. Despite the findings of these two separate security assessments, the hospital failed to take steps to secure ePHI according to OCR. In fact, OCR found that Children's Medical Center of Dallas "had actual knowledge of the risks to ePHI at rest...at least one year prior to the reported security incidents." Despite this actual knowledge of the security risks associated with unencrypted devices, Children's Medical Center of Dallas still issued mobile devices that contained unencrypted ePHI for several years. Encryption of ePHI is an addressable standard under the HIPAA Security Rule. A covered entity must document why it has not encrypted ePHI on mobile devices and must implement alternative security measures. OCR found that Children's Medical Center of Dallas failed to implement sufficient policies and procedures to protect the security of its ePHI, failed to prevent unencrypted ePHI from being written onto mobile devices and failed to maintain an accurate inventory of mobile devices.

OCR found two aggravating factors in support of the Civil Money Penalty of $3.2 million:

  • The fact that Children's Medical Center of Dallas continued to allow mobile devices to download unencrypted electronic Personal Health Information several years after it had actual knowledge that the lack of encryption posed a significant security risk; and
  • The hospital's prior history of non-compliance.

However, OCR did not impose the maximum penalty possible based on the hospital's argument that there was no evidence that the individuals whose PHI was exposed suffered any actual harm.

All covered entities should take notice of this decision and take immediate steps to either encrypt ePHI contained on mobile devices or select an alternate security measure and fully document why encryption is not viable. If a covered entity does not have a complete inventory of its mobile devices, it should conduct an inventory immediately. Children's Medical Center of Dallas could have been fined over $13 million in civil money penalties. In future cases, OCR might find that the individuals whose information was disclosed did suffer actual harm which would result in much higher penalties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.