The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Texas hospital $3.2 million for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA) over multiple years.

Children’s Medical Center of Dallas filed breach reports with the OCR in 2010 and again in 2013. The first report detailed the loss of an unencrypted, non-password protected BlackBerry device at Dallas/Fort Worth International Airport. The device contained the electronic protected health information (ePHI) of approximately 3,800 people.

In July 2013, the medical center filed a separate report, which stated that an unencrypted laptop containing the ePHI of 2,462 people had been stolen from its premises sometime between April 4 and April 9, 2013.

Health care industry is a top target

We recently reported that breaches in the US health care industry are at an all-time high, and – following the Children’s Medical Center of Dallas incident – Naked Security described targeting health care organizations as “about as easy as shooting fish in a barrel.”

The industry has one of the lowest rates of data encryption, and a lack of staff awareness remains one of its biggest threats. Insiders were responsible for 68% of all network attacks against health care data last year, according to a health care data security report from IBM.

As IBM explained, the reason the health care industry is so frequently targeted is because health records contain a wealth of information that can be used for fraud:

[Health records] typically contain credit card data, email addresses, Social Security numbers, employment information and medical history records – much of which will remain valid for years, if not decades.

IBM also cited the fact that the health care organizations’ cybersecurity measures are often out of date and ineffective.

The importance of complying with HIPAA

The Children’s Medical Center of Dallas case again demonstrates the importance of “creating a culture of security where your employees are cognizant of the potential ill-effects of failing to safeguard personal information,” JD Supra writes.

This is particularly pertinent given that the OCR doesn’t simply focus on harm to individuals, but it ensures that health care organizations comply with HIPAA. In a number of cases, the OCR levied fines against organizations for failing to comply with HIPAA even though no data was compromised.

Civil monetary penalties (CMP) for HIPAA violations can be as much as $50,000 per compromised record – up to an annual maximum of $1.5 million – and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.

HIPAA covered entities that are concerned about information security and want to prevent data breaches should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.

ISO 27001 covers the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement. To help comply with the Standard, IT Governance’s ISO 27001 Packaged Solutions provide resources and consultancy support for all organizations, whatever their size, sector, or location.

Find out more about our ISO 27001 Packaged Solutions >>