Judge Rules in Favor of OCR and Upholds $4.3M Fine for MD Anderson | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Judge Rules in Favor of OCR and Upholds $4.3M Fine for MD Anderson

June 19, 2018
by Heather Landi
| Reprints

Houston-based The University of Texas MD Anderson Cancer Center must pay $4.3 million in fines stemming from three separate breaches involving unencrypted electronic devices that exposed patient data for 33,500 patients, according to an administrative law judge's recent ruling.

On June 1, U.S. Department of Health and Human Services (HHS) Administrative Law Judge Steven Kessel that MD Anderson violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for failing to encrypt electronic devices, and granted summary judgment to the HHS Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties imposed by OCR.

According to a June 18 release from HHS, this is the second summary judgment victory in the department’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by a judge or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

“OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013,” according to OCR’s release.

The administrative law judge agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

According to the judge’s decision, MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable.

The judge rejected each of these arguments, stating, “What is most striking about this case is that Respondents knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information.” Further, the judge wrote, “Respondent’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

The judge wrote in the decision that the undisputed material facts establish that MD Anderson “was not only aware of the need to encrypt devices in order to assure that confidential data including ePHI not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI.” Further, the judge criticized MD Anderson that despite this awareness and its own policies, the cancer center made only “half-hearted and incomplete” efforts at encryption over the ensuing years.

“As a consequence, the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives resulted in the unlawful disclosure of ePHI relating to tens of thousands of Respondent's patients,” the judge wrote.

The judge also noted the material facts indicate that MD Anderson leadership identified the risk and dangers related to confidential data loss and decided on encryption of devices as a means of protecting such data, however, the organization delayed encryption of laptop devices for years and then proceeded with encryption “at a snail’s pace.”

According to the judge, MD Anderson did not begin mass encryption of its laptops until May 2012 with a goal of encrypting all university laptop computers by August 2012. As of January 2014, nearly ten percent of the organization’s computers, more than 2,600 devices, remained unencrypted. MD Anderson’s compliance officer issued an annual risk analysis in June 2013 that identified failure to encrypt data as a high-risk impact area, the judge stated.

According to OCR, in detailing the breach incidents, the first breach involved the theft of unencrypted laptop computer that contained the ePHI of 29,000 individuals and the information included patients’ names, Social Security numbers, medical record numbers and treatment/research information. In the second incident, an employee lost an unencrypted USB thumb drive containing ePHI relating to 2,200 individuals, including patients’ names, dates of birth, medical record numbers, diagnoses and treatment and research information. In the third incident, a visiting researcher lost an unencrypted USB thumb drive containing ePHI relating to 3,600 individuals, likely containing information such as patients’ names, dates of birth, medical record numbers, diagnoses and treatment information.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.