MD Anderson Cancer Centre ordered to pay $4.3 million HIPAA fine over use of unencrypted devices

A Texas-based cancer treatment center has been ordered to pay over $4 million in penalties due to a lack of encrypted devices in three data breaches. A Health and Human Services administrative law judge (ALJ) affirmed a ruling that the University of Texas MD Anderson Cancer Center must pay $4.3 million in civil money penalties to the Office for Civil Rights for violating the HIPAA privacy and security rules in three separate data breaches.

The OCR investigated the institution following three data breach reports in 2012 and 2013 that involved the theft of an unencrypted laptop stolen from the residence of an MD Anderson employee and the loss of two unencrypted USB thumb drives that contained unencrypted electronic protected health information (ePHI) of 33,500 patients. The judge approved OCR for imposing the penalties after its investigation into three breaches.

A letter sent by OCR to MD Anderson says that the penalty includes $1.3 million for failure to protect unencrypted devices and $3 million for impermissible disclosures. In its investigation, OCR found that MD Anderson had written encryption policies that went as far back as 2006. It also found that the lack of device-level encryption posed a high security risk.

Still, the organization failed to adopt an enterprise-wide solution to implement encryption of ePHI until 2011. Additionally, it did not encrypt its inventory of electronic devices holding ePHI until between March 24, 2011, and January 25, 2013.

However, MD Anderson claimed that it was not obligated to encrypt devices and asserted that the electronic devices in question were meant for research and not subject to HIPAA's privacy rules.

The administrative law judge pushed back against the organization’s claims saying its “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI.”

Following the announcement, the OCR praised the judge’s decision to upload its imposition of penalties.

OCR Director Roger Severino said in a statement: "We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption when required to protect sensitive patient information."

According to the HHS, this is the second summary judgement victory in OCR’s history of HIPAA enforcement. It is also the fourth largest amount ever awarded to the OCR by an administrative law judge or settlement for a HIPAA violation.

MD Anderson said it was “disappointed” by the ALJ’s ruling and “concerned that key exhibits and arguments were not considered.” The institution plans to appeal the ruling.

"Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights' enforcement process," the institution added.