Houston-based The University of Texas MD Anderson Cancer Center must pay $4.3 million in fines stemming from three separate breaches involving unencrypted electronic devices that exposed patient data for 33,500 patients, according to an administrative law judge's recent ruling.
On June 1, U.S. Department of Health and Human Services (HHS) Administrative Law Judge Steven Kessel that MD Anderson violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for failing to encrypt electronic devices, and granted summary judgment to the HHS Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties imposed by OCR.
According to a June 18 release from HHS, this is the second summary judgment victory in the department’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by a judge or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.
“OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013,” according to OCR’s release.
The administrative law judge agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
According to the judge’s decision, MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable.
The judge rejected each of these arguments, stating, “What is most striking about this case is that Respondents knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information.” Further, the judge wrote, “Respondent’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The judge wrote in the decision that the undisputed material facts establish that MD Anderson “was not only aware of the need to encrypt devices in order to assure that confidential data including ePHI not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI.” Further, the judge criticized MD Anderson that despite this awareness and its own policies, the cancer center made only “half-hearted and incomplete” efforts at encryption over the ensuing years.
“As a consequence, the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives resulted in the unlawful disclosure of ePHI relating to tens of thousands of Respondent's patients,” the judge wrote.
The judge also noted the material facts indicate that MD Anderson leadership identified the risk and dangers related to confidential data loss and decided on encryption of devices as a means of protecting such data, however, the organization delayed encryption of laptop devices for years and then proceeded with encryption “at a snail’s pace.”
According to the judge, MD Anderson did not begin mass encryption of its laptops until May 2012 with a goal of encrypting all university laptop computers by August 2012. As of January 2014, nearly ten percent of the organization’s computers, more than 2,600 devices, remained unencrypted. MD Anderson’s compliance officer issued an annual risk analysis in June 2013 that identified failure to encrypt data as a high-risk impact area, the judge stated.
According to OCR, in detailing the breach incidents, the first breach involved the theft of unencrypted laptop computer that contained the ePHI of 29,000 individuals and the information included patients’ names, Social Security numbers, medical record numbers and treatment/research information. In the second incident, an employee lost an unencrypted USB thumb drive containing ePHI relating to 2,200 individuals, including patients’ names, dates of birth, medical record numbers, diagnoses and treatment and research information. In the third incident, a visiting researcher lost an unencrypted USB thumb drive containing ePHI relating to 3,600 individuals, likely containing information such as patients’ names, dates of birth, medical record numbers, diagnoses and treatment information.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”