"Lack of timely action risks security and costs money," says the HHS Office for Civil Rights (OCR) press release, and while it's unclear how much one lost phone and one lost laptop risk security, we know how much money they cost: $3,217,000 assessed against the Children's Medical Center of Dallas for HIPAA violations.
The center reported to OCR on Nov. 19, 2009, an "unencrypted, non-password protected BlackBerry device" issued to center personnel and containing the electronic protected health information (ePHI) of approximately 3,800 people was lost at Dallas/Fort Worth International Airport.
As if that weren't bad enough, the center reported July 5, 2013, that someone stole an unencrypted laptop holding ePHI for 2,462 people from its premises sometime in April of that year.
OCR's investigations of the center showed them to be negligent under the HIPAA secuity rule. For example, after the center switched its method of inventory of devices that contained ePHI in 2012, it "did not conduct a complete inventory to identify all devices to which its IT asset policies apply to ensure that all devices were covered by its device and media control policies," per OCR's
proposed determination in the case.
This isn't the biggest HIPAA violation fine ever -- there have been other multimillion-dollar settlements, and in 2014 New York-Presbyterian Hospital and Columbia University Medical Center
had to pay $3.3 million when "a computer server that had access to NYP ePHI information systems was errantly reconfigured."