On June 18, 2018, the HHS announced a ruling against the University of Texas MD Anderson Cancer Center in Houston.
In consequence for three data breaches from 2012 and 2013, an HHS administrative law judge upheld the HHS OCR finding requiring the University of Texas MD Anderson Cancer Center in Houston to pay $4,348,000 in civil penalties.
This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson data breaches
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.
The three data breaches occurred when a MD Anderson employee suffered a theft of an unencrypted laptop from their residence and when two personnel lost two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.
During their investigation, the OCR found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI.
Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.
ALJ rules in favor of the OCR and fines MD Anderson $4.3 million in penalties
The judge stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
As a result, the ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson responds to the ruling
In response to the findings, MD Anderson said it was not obligated to encrypt its devices. They claimed the ePHI stolen was partially used for research, and thus not subject to HIPAA’s nondisclosure requirements. MD Anderson also argued HIPAA’s penalties were unreasonable.
“Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information,” an MD Anderson spokesperson emailed Becker’s Hospital Review June 19. “In all three cases involving the loss or theft of devices reviewed by the administrative law judge, there is no evidence any patient information was viewed or any harm to patients was caused.”
MD Anderson added that it plans to appeal the administrative law judge’s ruling.
“We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered,” wrote a health system spokesperson. “Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.”