$4.3 Million HIPAA Penalty For 3 Breaches

20 Jun

A lack of device encryption will cost a Texas-based cancer treatment center $4.3 million in civil monetary penalties from the Department of Health and Human Services.

In a statement Monday, the HHS Office for Civil Rights said it was granted a summary judgment by an HHS administrative law judge, who ruled that The University of Texas MD Anderson Cancer Center violated the HIPAA privacy and security rules. The judge approved OCR imposing $4.3 million in penalties in the aftermath of its investigations into three breaches involving unencrypted devices.

In a statement provided to Information Security Media Group, MD Anderson says it plans to appeal the judgement.

“We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the OCR enforcement process.”

Rare Ruling

The ruling is only second summary judgment in the agency’s history of HIPAA enforcement. The financial penalty is the fourth largest amount ever awarded to OCR by an administrative law judge or secured in a settlement for HIPAA violations, OCR notes in the statement.

A letter that OCR sent to MD Anderson says that the penalty includes $1.3 million for violations related to its unencrypted access controls and $3 million for impermissible disclosures.

MD Anderson is an academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.

Breach Investigations

OCR says it investigated MD Anderson following three separate data breach reports in 2012 and 2013. One involved the theft of an unencrypted laptop from the residence of an MD Anderson employee; the others involved the loss of unencrypted universal serial bus thumb drives containing the unencrypted electronic protected health information on a total of over 33,500 individuals (see: Cancer Center Reports 2nd Data Breach).

“OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI,” OCR says in the statement.

“Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprisewide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013,” the statement adds.

The administrative law judge agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s noncompliance with HIPAA and for each record of individuals breached, OCR notes.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” says OCR Director Roger Severino.