Children’s Health Pays $3.2 Million Fine Over Data Breach
After a multiyear investigation into a patient data privacy breach, Texas-based Children’s Health was ordered to pay a $3.2 million federal penalty.
The U.S. Department of Health and Human Services Office for Civil Rights said the finding was the result of “impermissible disclosure of unsecured” health information.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” said U.S. Department of Health and Human Services Office for Civil Rights Acting Director Robinsue Frohboese.
Children’s Health, formerly known as the Children’s Medical Center of Dallas, reported the breach voluntarily. They do not believe patients or their families were affected by the data loss.
“We have also enacted many levels of protection across our variety of devices. We train our colleagues on the importance of protecting patient information, and the methods by which they do so,” Scott Summerall, a spokesman for the health system, wrote in an emailed response to the Associated Press.
According to the report, the patient information was exposed on two separate occasions. In 2009, a BlackBerry containing the unencrypted information about 3,800 patients was lost at the Dallas/Forth Worth International Airport. In 2013, an unencrypted laptop containing the information for 2,500 patients was stolen from the hospital.
“Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013,” the Health and Human Services reported on their website.