FEDERAL JUDGE RULES FOR OCR, FINES MD ANDERSON $ 4.3 MILLION DOLLAR FINE FOR MAJOR HIPAA VIOLATION INVOLVING UNENCRYPTED STOLEN DEVICES AND 33,000 PATIENT RECORDS

In the ruling, the Judge found that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA RULE for Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. The $4.3 million dollar fine is the fourth largest amount ever awarded to OCR.

MD Anderson is an academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.  OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.

OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as
data encryption, when required to protect sensitive patient information
.”

LESSONS LEARNED

1.  MD Anderson had written encryption politics going back to 2006, and had identified lack of
encryption as a material weakness in their own risk analysis!

2.  If a HIPAA Risk Analysis identifies a weakness in a critical area like encryption, immediately
start encrypting all electronic devices.

THANKS FOR READING THE RISKAlert Report©
For more information and a free subscription:  write to:  caroline@riskandsecurityllc.com

We provide the best CMS Facility All-Hazards Risk Assessments, HIPAA Risk Analysis, as well as Active Shooter Training,
Workplace Violence Assessments, and Mass Casualty Drills & Training Programs.

www.riskandsecurityllc.com   and   www.caroline-hamilton.com