Sign in

Judge rules in favor of OCR, orders cancer center to pay $4.3 for HIPAA violations 

By: Lisa Marlin

June 20, 2018

This week the U.S. Department of Health and Human Services (HHS) announced that HHS Administrative Law Judge Steven Kessel has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated HIPAA and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR.  

This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations. 

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.  

The investigation revealed that MD Anderson had conducted a required HIPAA risk analysis which showed that the use of unencrypted devices did pose a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted. 

However, encryption was not implemented until five years later in 2011, and even then, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. Had MD Anderson implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented. 

Kessel wrote in his decision that “[MD Anderson’s] dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI, a risk that respondent not only recognized but that it restated many times.” 

OCR Director Roger Severino said in a statement that the office is pleased the judge upheld its penalties. “It underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information,” he said.  

Don’t put your organization at risk. Let the experts at PrivaPlan help with our online security reminder videos, our managed phishing testing, and of course, by conducting a HIPAA Security Risk Analysis. To learn more, contact our HIPAA experts today at info@privaplan.com or call 877-218-7707.