Missing Laptop, BlackBerry Result in $3.2 Million HIPAA Breach Fine

The third large cash penalty of 2017 suggests an intensifying enforcement crackdown that has collected nearly $6 million already this year.

Aldrin Brown, Editor-in-Chief

February 3, 2017

3 Min Read
Missing Laptop BlackBerry Result in 32 Million HIPAA Breach Fine

A Dallas-area hospital has paid a $3.2 million HIPAA penalty after lax security procedures led to the theft of an unencrypted laptop and the loss of a BlackBerry mobile device containing private medical records of a combined 6,200 individuals.

Children’s Medical Center of Dallas reported two major breaches to officials from the U.S. Department of Health and Human Services Office of Civil Rights during a three-year period from 2010 to 2013.

Investigators determined the hospital ignored repeated advice from internal and external experts – dating back to 2007 – warning about a number of risk factors that jeopardized the security of patient electronic protected health information (ePHI).

“Specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,” OCR officials wrote in a statement.

Unlike most previous HIPAA breach resolutions, which resulted in settlements between the “covered entity” and OCR, Children’s Medical Center did not mount an affirmative defense.

“OCR issued a Notice of Proposed Determination…which included instruction for how Children’s could file a request for a hearing,” the OCR statement said. “Children’s did not request a hearing.

“Accordingly, OCR issued a Notice of Final Determination and Children’s paid the full civil money penalty of $3.2 million.”

The first reported breach occurred on Nov. 19, 2009, when an unencrypted and non-password protected BlackBerry, like those Children’s Medical Center routinely issued to nurses and other hospital staff, was lost at Dallas/Ft. Worth International Airport. 

That device contained the ePHI of roughly 3,800 people.

In the second reported breach, which occurred sometime between April 4 and April 9, 2013, an unencrypted and non-password protected laptop with ePHI of 2,462 individuals was stolen from an operating room storage area at the hospital.

OCR investigators determined that, despite the more than two years interval between the major breaches and repeated warnings from consultants, Children’s Medical Center did little to improve security.

“Although Children’s implemented some physical safeguards to the operating room storage area (e.g., badge access was required, and a security camera was present at one of the entrances), it also provided access to the area to staff who were not authorized to access ePHI,” authorities wrote in the final determination.

Hospital officials suspect the laptop was stolen by a member of the janitorial staff, which had unrestricted access to the storage area.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” OCR acting director Robinsue Frohboese said in a statement. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The case marks the third large cash penalty of 2017, suggesting a continuation of an enforcement crackdown that has collected about $5.9 million already this year, and a record $23.5 million in 2016.

That’s up from $6.2 million in penalties for all of 2015.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like