The U.S. Department of Health and Human Services’ Office for Civil Rights fined Children’s Medical Center of Dallas $3.2 million for HIPAA noncompliance and impermissible disclosure of unsecured ePHI stemming from two data breaches caused by a lack of encryption, HHS announced today.

Children’s is part of Children’s Health, the seventh largest pediatric healthcare provider in the U.S.

The first breach involved the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of about 3,800 patients. Children’s reported the breach to OCR on January 18, 2010.

The second incident involved the theft of an unencrypted laptop from Children’s the first week of April 2013. The computer contained the ePHI of 2,462 patients. The hospital failed to report the theft to OCR until July 5, 2013.

Although Children’s physically protected part of the laptop storage area with badge access and a security camera, it also allowed access to staff members who weren’t authorized to access ePHI, officials said.

The subsequent OCR investigation further revealed HIPAA noncompliance that included a failure to implement risk management plans – despite external recommendations to do so. Further, the hospital failed to use encryption or equivalent method on its laptops, workstations, mobile devices and removable storage until April 9, 2013.

Children’s also issued unencrypted BlackBerry devices to nurses and allowed staff to continue use of unencrypted laptops and mobile devices until 2013, although the hospital was warned about the risk of unencrypted ePHI on devices as far back as 2007, officials found.

OCR issued a Notice of Proposed Determination, which provided instruction on how Children’s could request a hearing, officials said. However, Children’s didn’t request it. As a result, Children’s paid the full penalty.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR Acting Director Robinsue Frohboese, said in a statement.

“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” she added.