• Home
  • News
  • Stolen flash drive leaves U of Rochester Medical Center with $3M HIPAA settlement

Stolen flash drive leaves U of Rochester Medical Center with $3M HIPAA settlement

6 Nov 2019 6:37 PM | AIMHI Admin (Administrator)

Beckers Source Article | Comments Courtesy of Matt Zavadsky

A couple of years back, a friend of mine who was the CEO of a very well respected EMS agency shared this story – he hired a “Black Hat” to penetration test his agency against cyber-attacks. 

The Black Hat was supposed to start on a Monday morning, but the Black Hat walked into the CEO’s office on the preceding Friday about, placed a thumb drive on the CEO’s desk and said, this jump drive contains the names, dates of birth, driver’s license and social security number of about 400 of your patients from this month.

The CEO was astounded and asked how the Black Hat hacked into the system so quickly, to which the Black Hat replied, ‘through the front door…  10 minutes ago I walked up to the receptionist – told her I was here to see you, she buzzed me in, I found an empty cubicle in billing with the computer locked, I ‘unlocked’ it, found your billing application, and downloaded your claims for the last 3 days – want me to start today, as long as I’m here?’


Stolen flash drive leaves U of Rochester Medical Center with $3M HIPAA settlement

Mackenzie Garrity



The University of Rochester (N.Y.) Medical Center has agreed to pay $3 million to HHS' Office for Civil Rights to settle potential HIPAA violations, according to a Nov. 5 news release.

In 2013 URMC filed a data breach report with the OCR stating that an unencrypted flash drive had been stolen. Following the notice that patients' protected health information could have been exposed, the OCR offered technical assistance to URMC.

Then in 2017, URMC disclosed that an unencrypted laptop had been stolen. An OCR investigation found URMC failed to conduct enterprise-wide risk analysis, implement security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level, utilize device and media controls, and employ a mechanism to encrypt and decrypt electronic protected health information.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible."

Along with paying the $3 million settlement, URMC will also undergo a corrective action plan, including two years of HIPAA-compliance monitoring.

© 2020 Academy of International Mobile Healthcare Integration | www.aimhi.mobi | hello@aimhi.mobi

Powered by Wild Apricot Membership Software