Cancer Center Hit with $4.3 Million HIPAA Fine for Failure to Encrypt

Case: The University of Texas MD Anderson Cancer Center was on the wrong end of the fourth largest HIPAA fine ever dished out by the HHS Office for Civil Rights for a trio of incidents between 2012 and 2013:

• An employee’s laptop was stolen;
• A trainee lost a thumb drive; and
• A visiting researcher lost another thumb drive.

Result: Personal data of 33,800 patients was compromised.

Significance: Theft and loss of devices containing patient data is an all too common occurrence. What made this case different and egregious enough to warrant a massive HIPAA fine was that Anderson failed to encrypt the data. MD Anderson implemented an encryption policy in 2006 but didn’t begin actual encryption of PHI on its computers until 2011, an effort that took over two years to complete. It argued that since the data was used for research purposes, HIPAA requirements didn’t apply. But the HHS administrative law judge disagreed finding the Texas hospital’s “dilatory conduct shocking given the high risk to patients resulting from the unauthorized disclosure” of digital PHI. MD Anderson says it plans to appeal the ruling contending that there’s no evidence that any unauthorized party actually viewed the PHI.