A costly failure to encrypt for University of Rochester Medical Center

University of Rochester Medical Center (URMC) will pay $3 million to settle with the U.S. Department of Health and Human Services for failing to encrypt its data, resulting in HIPAA violations. URMC lost an unencrypted flash drive in 2013 and had an unencrypted laptop stolen in 2017. The settlement requires URMC to implement a corrective action plan and undergo two years of HIPAA compliance monitoring. This case highlights the importance of basic security practices, such as encryption, in protecting patient health information.