October 01, 2018

‘Pay Attention or Pay Up’: What Led to MD Anderson Cancer Center’s $4.3 Million Penalty for HIPAA Violations

Jennifer Mitchell and Bryan Murray, Dinsmore & Shohl, LLP, Cincinnati, OH

On June 1, 2018, U.S. Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) Steven Kessel imposed $4,348,000 in civil monetary penalties against The University of Texas MD Anderson Cancer Center (MD Anderson) as a result of “dilatory conduct” that resulted in HIPAA violations.1  MD Anderson’s monumental penalty stemmed from three separate HIPAA incidents, which included: (1) the April 30, 2012 theft of an unencrypted laptop computer from an MD Anderson employee’s residence; (2) the July 13, 2012 loss of an unencrypted thumb drive by a trainee on an MD Anderson employee shuttlebus; and (3) the November 27, 2013 loss of an unencrypted thumb drive by a visiting researcher.2 Collectively, the laptop computer contained electronic protected health information (ePHI) relating to almost 30,000 patients, while the trainee’s thumb drive and the researcher’s thumb drive contained the ePHI of 2,200 and 3,600 patients, respectively.3  Despite recognizing the need to encrypt ePHI storing devices as early as 2006,4 MD Anderson did not complete its encryption efforts until well after the three HIPAA incidents occurred.  HHS’ Office for Civil Rights’ (OCR) investigation determined that MD Anderson’s delayed encryption efforts led MD Anderson to violate HIPAA requirements in two respects: “(1) it failed to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed.”5

Premium Content For:
  • Health Law Section
Join - Now