URMC to pay a penalty of $3 million for failing to comply with HIPAA rules

  • The fine has been imposed by OCR for two data breaches that occurred in 2013 and 2017.
  • The data breaches occurred due to the loss of an unencrypted flash drive and laptop.

The University of Rochester Medical Center (URMC) in New York has agreed to pay a civil monetary penalty of $3 million for violating HIPAA rules. The fine has been imposed by the Department of Health and Human Services Office for Civil Rights (OCR) for two data breaches that occurred in 2013 and 2017.

What happened?

According to OCR, the health system reported a data breach in 2013 following the loss of an unencrypted flash drive that contained patients’ protected health information (PHI).

Again, in 2017, URMC reported another breach when an unencrypted personal laptop of one of its surgeons was stolen from a treatment facility. The laptop contained PHI of its patients.

Where did URMC fail?

  • Following the breaches, OCR investigated the health system’s compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules.
  • During the investigation, it found that URMC lacked security measures to reduce risks and vulnerabilities. The health system also failed to conduct an enterprise-wide risk analysis.
  • The health system also failed to utilize device and media controls. OCR also found that it did not employ a mechanism to encrypt and decrypt the ePHI of patients.

Mistake repeated

In 2010, URMC was advised on a similar breach that involved a lost unencrypted flash drive. Despite the previous OCR’s technical assistance and recommendations, URMC permitted the continued use of unencrypted mobile devices.


In addition to the monetary settlement, URMC will undertake corrective action plans that include two years of monitoring their compliances with the HIPAA rules.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

Cyware Publisher