Hospital pays $3.2M fine after losing devices with patient dataReprints
The Children’s Medical Center of Dallas has paid a $3.2 million fine in connection with the loss of a BlackBerry device in 2009 and the theft of a laptop in 2013 that, combined, contained unencrypted data for more than 6,000 individuals, the U.S. Department of Health and Human Services’ Office for Civil Rights said.
On Jan. 18, 2010, the hospital filed a breach report on the loss of an unencrypted, non-password-protected BlackBerry device at the Dallas/Fort Worth International Airport in November 2009, that contained electronic protected health information on about 3,800 individuals, the civil rights office said in in its statement on Wednesday.
Then in July 2013, the hospital filed a breach report for the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013 that contained the protected health information of 2,462 individuals, the civil rights office said.
“Despite Children’s knowledge about the risk of maintaining unencrypted (electronic protected health information) on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013,” the civil rights office said in its statement.
The hospital said in a statement Friday that it had paid the fine because “efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children.” The hospital also said it did not believe that any patients or their families were affected by the device losses.
“We have also enacted many levels of protection across our variety of devices. We train our colleagues on the importance of protecting patient information, and the methods by which they do so. This is why we continually upgrade our encryption methods, and implement new means by which we secure all of our information.”