OCR Declares $4.3 Million Civil Monetary Fine for University of Texas MD Anderson Cancer Center

June 21, 2018


The Division of Health and Human Services’ Office for Civil Rights has declared its fourth biggest HIPAA violation fine has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been directed to pay $4,348,000 in civil monetary fines to decide the HIPAA violations connected to three data breaches faced in 2012 and 2013.

MD Anderson is an educational institute and a cancer cure and research center situated at the Texas Medical Center in Houston, TX. After the submission of three breach accounts in 2012 and 2013, OCR started an inquiry to decide whether the breaches were caused as a consequence of MD Anderson having failed to abide by HIPAA Laws.

The breaches in question were the thievery of an unencrypted laptop computer from the residence of an MD Anderson worker and the loss of two unencrypted USB thumb drives, each of which had the electronic protected health information (ePHI) of its patients. Altogether, the PHI of 34,883 patients was disclosed and might possibly have been seen by illegal people.

The inquiry disclosed that MD Anderson had carried out a risk analysis, as is needed by HIPAA. That risk analysis disclosed the use of unencrypted appliances posed a grave danger to the secrecy, honesty, and obtainability of ePHI. To tackle the danger, in 2006 MD Anderson developed plans that needed all portable storage appliances to be encrypted.

Nevertheless, although plans called for the use of encryption, encryption was not applied until March 24, 2011. When encryption was applied, it was not applied to all portable appliances in its stock. MD Anderson informed to OCR that by January 25, 2013, it had only encoded 98% of its computer systems. If MD Anderson had applied encryption on all portable electronic appliances containing ePHI, the three breaches would have been avoided.