The loss of two unsecured mobile devices has ended in Children’s Medical Center of Dallas paying a $3.2 million civil monetary penalty to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  

The breach of electronic protected health information (ePHI) began in 2009 after an unencrypted, non-password protected BlackBerry device was lost at the Dallas/Fort Worth International Airport. The BlackBerry contained the ePHI of approximately 3,800 patients. In 2013, someone stole an unencrypted laptop from the medical center that contained the ePHI of more than 2,000 people.

In both cases the medical center filed the appropriate breach report with OCR. However, OCR investigated and found that Children’s had inadequate risk management plans and had not encrypted all of its laptops, work stations, mobile devices, and removable storage media until April 9, 2013. According to OCR, Children’s also issued unencrypted BlackBerry devices to nurses and allowed employees to continue using unencrypted laptops and other mobile devices until 2013. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” said OCR Acting Director Robinsue Frohboese in a statement.