MD Anderson to pay $4.3 million settlement with OCR for HIPAA violations

The cancer research center argued it didn’t need to encrypt its data as it was for research, but a federal judge upheld the OCR fine.
By Jessica Davis
03:12 PM
Share
MD Anderson to pay $4.3M for HIPAA violations

Credit: Google Maps

The University of Texas MD Anderson Cancer Center settled with the U.S. Department of Health and Human Services’ Office of Civil Rights for $4,348,000 for HIPAA violations, which was upheld by the HHS administrative law judge.

The fine is the fourth largest monetary settlement with OCR.

MD Anderson suffered three separate data breaches in 2012 and 2013 involving the theft of an unencrypted laptop and the loss of two USB thumb drives containing the unencrypted data of more than 33,500 patients.

The OCR investigation that followed found the cancer center hadn’t updated its encryption policies since 2006. Further, a risk analysis by MD Anderson found that the lack of encryption posed a high-risk to the loss of patient data.

Despite these observations, OCR officials said that MD Anderson failed to begin adopting encryption policies for patient data until 2011. Even then, it failed to encrypt its inventory of devices containing patient data between 2011 and 2013.

MD Anderson officials argued that the data didn’t need to be encrypted as the patient data was for research purposes and not subject to HIPAA. Further, they said the OCR fine was “unreasonable.”

But the HHS administrative law judge sided with OCR and found the penalty was reasonable, “given the gravity of [MD Anderson’s] noncompliance and the number of individuals potentially affected” and “are minuscule when compared to the respondent’s size and the volume of business that it does.”

“[MD Anderson’s] dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI, a risk that respondent not only recognized but that it restated many times,” Steven Kessel, the administrative law judge, wrote in his decision.

OCR Director Roger Severino said in a statement that the office is pleased the judge upheld its penalties. “It underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information,” Severino added. 

MD Anderson is not alone in failing to encrypt its data despite HIPAA requirements to do so. 

Earlier this year, Fresenius Medical Care North America settled with OCR for $3.5 million following an OCR investigation of a string of breaches in 2013. The health system failed to encrypt health data on its devices.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com