Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

The Concentra HIPAA Breach and Mobile Device Encryption

In a story covered on about HIPAA Breach in Healthcare IT News this week, the HHS Office for Civil Rights settled with two organizations for just under a combined $2 million this week after it was discovered that both had PHI-containing unencrypted laptops stolen.

2 min read
concentra hipaa breach and mobile device encryption|mobile device encryption for healthcare

In a story covered on about HIPAA Breach in Healthcare IT News this week, the HHS Office for Civil Rights settled with two organizations for just under a combined $2 million this week after it was discovered that both had PHI-containing unencrypted laptops stolen. As OCR deputy director of health information policy Susan McAndrew pointed out, the large fines are meant to drive home the

mobile device encryption for healthcare

point that unencrypted laptops and mobile devices pose significant risks to patients and must be corrected.The first and bigger of the two fines was levied against Concentra Health Services when it was discovered that an unencrypted laptop was stolen from one of its facilities. OCR made a particular note of the fact that Concentra, through a series of risk analyses over a period of years, had been put on notice that it was allowing patient information to be shared on unencrypted desktop computers, tablets, and mobile phones. Instead of correcting these deficiencies through a documented remediation plan, however, Concentra allowed the bad practices to continue despite the known Security Rule violations. In the end, OCR fined Concentra over $1.7 million for the breach and forced the healthcare organization to adopt a corrective action plan and work with HHS to fix the known issues.“Our message to [healthcare] organizations is simple,” McAndrew said. “Encryption is your best defense against these incidents.”

The Importance of Mobile Device Encryption

We’ve argued on this blog about how important mobile device encryption is for a healthcare facility, and the Concentra incident only bolsters our stance.  That said, implementation issues are always a concern for a healthcare IT executive, which could explain why healthcare organizations are slow to adopt technologies such as Encryption and Secure Texting that could potentially take millions of dollars of risk off of the table.

Encrypted Mobile Applications are the Future

Nevertheless, when the implementation is as easy as installing an encrypted mobile application on the phone and writing a policy requiring providers to only send PHI through that channel, an administrator’s job is just about done. In an age of dramatically increasing federal fines, it’s too easy to have a provider lose a mobile device and trigger a full-blown OCR investigation. Encrypt your endpoints and avoid being front page news.

Frequently Asked Questions

Find answers to common questions about this topic.

Healthcare organizations can face fines exceeding $1.7 million per incident, as demonstrated by the Concentra case. The HHS Office for Civil Rights has increased penalties significantly to discourage unencrypted device usage in healthcare settings.

All mobile devices that store, access, or transmit PHI must be encrypted, including laptops, tablets, smartphones, and desktop computers. Healthcare organizations are required to encrypt any endpoint device that could potentially contain patient information.

Organizations can install encrypted mobile applications on devices and establish policies requiring staff to only transmit PHI through encrypted channels. This approach provides immediate compliance while being relatively simple to deploy and manage.

Organizations that fail to address known encryption deficiencies face higher penalties and mandatory corrective action plans. OCR considers prior knowledge of vulnerabilities an aggravating factor when determining fine amounts and enforcement actions.

Encryption renders PHI unreadable to unauthorized users even if devices are lost or stolen, effectively preventing a breach notification requirement. It's the most reliable technical safeguard for protecting patient data on mobile devices.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

wellpoint hipaa breach alert|wellpoint hipaa breach settlement
Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

Krishna KurapatiKrishna Kurapati
1 min read
role of peer to peer encryption in the hipaa omnibus era|peer-to-peer encryption in healthcare
Best Practices

The Role of Peer-to-Peer Encryption in the HIPAA Omnibus Era

It’s every compliance officer’s worst nightmare. You’re sitting at your desk on a weekday afternoon, perhaps catching up on the latest posts on the qliqSOFT blog, when all of a sudden your CIO calls you up and frantically explains how one of your vendors suffered a major data breach. Over thirty thousand patient records are lost, and there is no way to know what has been done with the data so far.

Krishna KurapatiKrishna Kurapati
3 min read
true cost of hipaa data breach|cost of a hipaa data breach
Best Practices

The True Cost of a HIPAA Data Breach

Another week, another HIPAA data breach. On September 10th, healthcare behemoth Kaiser Permanente sent out a letter to 670 patients, notifying them that their PHI had been impermissibly emailed out of network. But in light of all these recent data breaches and security failures, one might ask, “who cares?” If fixing the issue is as simple as writing an apology letter like Kaiser did, why go through all the hoops of encryption and access control and HIPAA compliance? After all, HHS still has the ultimate discretion of whether to assess penalties, right?

Krishna KurapatiKrishna Kurapati
3 min read
2m left