MD Anderson will pay $4.3 million fine to HHS for data breaches

The University of Texas MD Anderson Cancer Center must pay a $4.3 million fine to HHS' Office for Civil Rights for data breaches, a federal judge ruled Monday. It's the fourth largest HIPAA-related settlement ever paid to the OCR.

In 2012 and 2013, an MD Anderson employee's laptop was stolen, a company trainee lost a thumb drive and a visiting researcher lost another thumb drive. Altogether, these devices contained about 33,800 patients' data. Because those health records weren't encrypted, the OCR determined that MD Anderson violated the HIPAA privacy and security rules.

MD Anderson leaders plan to appeal the ruling, according to a statement from the organization.

"We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards," said OCR director Roger Severino in a statement.

Although MD Anderson has had encryption policies since 2006, it hadn't started encrypting protected health information across the enterprise until 2011, and it took more than two years to encrypt all of its computers.

"The bottom line is that when an organization identifies through its risk assessments that a threat or vulnerability poses a significant risk to the confidentiality of PHI, it must take action to put processes or technology in place that will effectively protect that information," said David Holtzman, vice president of compliance strategies for IT consulting firm CynergisTek.

Despite knowing about risks, MD Anderson argued that it did not have to encrypt its devices in the first place and that HIPAA nondisclosure requirements didn't apply to the protected health information because it was used for research. But the HHS administrative law judge disagreed, writing that MD Anderson's "dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure" of digital protected health information.

MD Anderson knew for more than five years that its patients' data were vulnerable, but "it consistently failed to implement the very measures that it had identified as being necessary to protect that information," the judge wrote.

But MD Anderson officials contended that there is no evidence showing that patient information was "viewed."