MD Anderson to pay $4.3 million penalty for data breach

University of Texas MD Anderson Cancer Center must pay $4.3 million in civil penalty to the federal Office of Civil Rights for HIPAA violations stemming from data breaches in 2012 and 2013. University of Texas MD Anderson Cancer Center must pay $4.3 million in civil penalty to the federal Office of Civil Rights for HIPAA violations stemming from data breaches in 2012 and 2013. Photo: Aker Imaging, Houston Photo: Aker Imaging, Houston Image 1 of / 1 Caption Close MD Anderson to pay $4.3 million penalty for data breach 1 / 1 Back to Gallery

A federal judge imposed a $4.3 million fine against the University of Texas MD Anderson Cancer Center for failing to secure health records which led to the possible compromise of health records of 35,000 people, the U.S. Department of Health and Human Service announced Monday.

The case stems from three incidents in 2012 and 2013 when an employee’s laptop was stolen at a residence and two unencrypted two thumb drives went missing.

Steven T. Kessel, the HHS administrative law judge in the case, found MD Anderson’s slow implementation of security measures “shocking.”

MD Anderson’s failure to encrypt health records was a violation of of the Health Insurance Portability and Accountability Act, the 1996 rule known as HIPAA put in place to protect patient privacy, according to the ruling from a HHS administrative law judge. The judge granted summary judgment to the Office for Civil Rights.

It is the fourth largest amount ever awarded to the Office of Civil Rights for a HIPAA violation, the government said.

“We are disappointed by the ALJ’s ruling and we are concerned that key exhibits and arguments were not considered,” MD Anderson officials said Tuesday in an emailed statement to the Chronicle.

“In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused,” the statement continued. A spokesman for the nationally-acclaimed cancer center added it planned to appeal and that there would be no further comment and offered no details on the case.

RELATED STORY: MD Anderson research assistant subbed in her blood for study participants

HIPAA, signed into law by President Bill Clinton, established the first nationally-recognizable regulations for the use and disclosure of an individual’s health information.

The Office of Civil Rights launched an investigation following the three breaches and found that MD Anderson had, in fact, written encryption policies dating as far back back to 2006. The cancer center’s own risk analyses found that a lack of protection could pose a high risk to patient privacy. However, MD Anderson did not begin to adopt full scale processes to implement encryption of patient health records until 2011, the government said.

Even then the center did not fully encrypt all of its devices between March 2011 and January 2013, according to the case. It was during that time that the breaches occurred..

MD Anderson has argued that it was not subject to encryption requirements because the electronic patient health information involved was being used for “research.” The cancer center also has argued that the penalties were unreasonable, the government statement said.

Kessel rejected those arguments and said that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients.”

“The OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” Roger Severino, director of the Office of Civil Rights, said in a statement.

jenny.deam@chron.com