A hospital’s loss of a BlackBerry and a laptop containing unsecured electronic protected health information (ePHI) led to an investigation by the Department of Health and Human Services, Office for Civil Rights (OCR) that found more widespread HIPAA violations.

OCR imposed a civil monetary penalty against Children’s Medical Center of Dallas based on its “impermissible disclosure of and noncompliance over many years with multiple standards of the HIPAA Security Rule,” the office reports.

Children’s paid the full civil monetary penalty of $3.2 million. The penalty came after the hospital filed a breach report with OCR in 2010 indicating the loss of an unencrypted, non-password-protected BlackBerry device with the ePHI of approximately 3,800 individuals at the Dallas/Fort Worth International Airport. In 2013, Children’s filed a separate HIPAA Breach Notification Report with OCR after the theft of an unencrypted laptop from its premises. That contained the ePHI of 2,462 individuals.

OCR’s investigation determined that Children’s implemented some physical safeguards to the laptop storage area, including badge access and a security camera at one of the entrances, but it also provided access to the area to workers not authorized to access ePHI.

OCR cited the hospital for failing to implement risk management plans, contrary to prior external recommendations to do so, and a failing to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices, and removable storage media until after the theft of the laptop.

“Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013,” OCR reports. “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”