Data breaches are becoming more common - and costly.

A stolen iPhone containing the medical records of more than 400 nursing home patients will cost the former owner of several nursing homes $650,000 under a federal settlement.

The theft occurred at a facility under the direction of Catholic Health Care Services of the Archdiocese of Philadelphia during February 2014 and led to an investigation by the Health and Human Services Office of Civil Rights. CHCS was later found to have violated the Health Insurance Portability and Accountability Act’s Security Rule by failing to evaluate risks of storing patients’ personal health information on mobile devices, according to OCR officials.

During the investigation, the agency also found CHCS was not taking appropriate security measure to prevent the improper disclosure of patient records.  

“The issue of mobile devices has been a consistent theme in both recent OCR enforcement and public statements, and everyone in the HIPAA circle of enforcement should be paying close attention to mobile device security practices,” said case attorney Kirk Nahra.

In addition to the settlement payment, CHCS must follow a two-year corrective action plan. It stipulates that CHCS carry out a risk analysis of all its electronic personal health information. Documentation of measures being taken to reduce identity risk also will be required, along with the creation of policies and procedures to prevent further incidents.

Since the theft occurred, CHCS has transferred ownership of its six skilled nursing facilities to New York-based Center Management Group, but it continues to provide management and information technology services to the facilities.