DATA SECURITY

Cancer Center Hit with $4.3 Million HIPAA Fine for Failure to Encrypt

Case: The University of Texas MD Anderson Cancer Center was on the wrong end of the fourth largest HIPAA fine ever dished out by the HHS Office for Civil Rights for a trio of incidents between 2012 and 2013:

  • An employee’s laptop was stolen;
  • A trainee lost a thumb drive; and
  • A visiting researcher lost another thumb drive.

Result: Personal data of 33,800 patients was compromised.

Significance: Theft and loss of devices containing patient data is an all too common occurrence. What made this case different and egregious enough to warrant a massive HIPAA fine was that Anderson failed to encrypt the data. MD Anderson implemented an encryption policy in 2006 but didn’t begin actual encryption of PHI on its computers until 2011, an effort that took over two years to complete. It argued that since the data was used for research purposes, HIPAA requirements didn’t apply. But the HHS administrative law judge disagreed finding the Texas hospital’s “dilatory conduct shocking given the high risk to patients resulting from the unauthorized disclosure” of digital PHI. MD Anderson says it plans to appeal the ruling contending that there’s no evidence that any unauthorized party actually viewed the PHI.

CLOSE TO VIEW ARTICLE x

You have 3 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters for just $47!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!

Close

EMAIL ADDRESS


PASSWORD
EMAIL ADDRESS

FIRST NAME

LAST NAME

TITLE

COMPANY

CITY / STATE

Try Premium Membership

(-0000g2)