top of page

A (Bad) Blast from the Past

With all of the phishing and other hacking attacks dominating the headlines, yesterday's OCR note was like reading a scenario from 2012. The University of Rochester Medical Center has agreed to a $3M, two-year corrective action plan after failing to encrypt their mobile devices. As with any investigation, the Office of Civil Rights also discovered URMC:

  • failed to conduct an enterprise-wide risk analysis

  • implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

  • utilize device and media controls; and

  • employ a mechanism to encrypt and decrypt electronic protected health information when it was reasonable and appropriate to do so.

We don't enjoy reporting non-compliance cases but post OCR actions so that organizations may consider the real impact of their compliance and security decisions. Click the graphic below to read the OCR report.

12 views0 comments


bottom of page