In a June 18 release, HHS announced a ruling against the University of Texas MD Anderson Cancer Center in Houston requiring $4.3 million in civil penalties due to three data breaches from 2012 and 2013.
Personnel at MD Anderson lost a laptop and two thumb drives, containing information about thousands of patients.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson argued the devices did not require encryption because the personal information was for research—meaning it was not subject to HIPAA requirements. A company release from MD Anderson emphasized patient privacy and data security, while disagreeing with the final judgment.
“Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information,” according to MD Anderson’s statement. “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused.”