Wk1003mike / Shutterstock
The Children’s Medical Center of Dallas, a pediatric hospital, has been fined $3.2 million by the US Department of Health and Human Services, Office for Civil Rights (OCR) for a breach of data that resulted in the disclosure of unsecured electronic protected health information (ePHI).
The first breach involved the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
The second involved the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children's reported the device contained the ePHI of 2,462 individuals.
OCR officials stated, “Despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” OCR Acting Director Robinsue Frohboese, said in a statement. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”
Children’s Medical Center of Dallas, US, Data breach