Children's Medical Center of Dallas used unencrypted mobile devices in violation of HIPAA rules.
Children's Medical Center of Dallas used unencrypted mobile devices in violation of HIPAA rules.

A hospital in Texas was slammed with a $3.2 million penalty after it was found to be in violation of "multiple standards of the HIPAA Security Rule," according to Data Breach Today.

It was determined that the Children's Medical Center of Dallas used unencrypted mobile devices, among other noncompliance in efforts to protect customer health data.

In its Feb. 1 statement imposing the civil penalty, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), said the pediatric hospital, a part of Children's Health, the seventh largest pediatric health care provider in the nation, had failed to comply over several years.

Children's Health first filed a breach report with OCR on Jan. 18, 2010, citing the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on Nov. 19, 2009. The device contained the ePHI of approximately 3,800 individuals. 

On July 5, 2013, the facility filed another breach report with OCR after an unencrypted laptop containing the ePHI of 2,462 individuals went missing in April 2013.

“Paying fines for a data breach is a bitter pill for any entity," Ebba Blitz, CEO of Alertsec, a Palo Alto, Calif.-based encryption software company, informed SC Media on Friday. "It is also terrible for the individuals who have had their information exposed. We mustn't forget that HIPAA is a regulation intended to protect individuals' privacy."

It's vital that IT departments make certain that every portable device is encrypted – including phones, tablets and all laptops – as these not only store data locally, they can also be the gateway into the network, Blitz added. "The best way to be on top of this is to either manage all devices in-house and not let anyone use their own device, or have a clear strategy for how to mitigate the risks of BYOD [Bring Your Own Device]. I should underscore that password protection is not the same as encryption.”

This is only the third civil monetary penalty OCR has issued.