A federal judge imposed a $4.3 million fine on a Texas-based cancer treatment center following an investigation into three breaches linked to unencrypted devices.
In a statement Monday, the HHS Office for Civil Rights said an administrative law judge ruled that the University of Texas MD Anderson Cancer Center violated the HIPAA privacy and security rules, reports Gov Info Security. It is the fourth largest amount ever paid for a HIPAA violation.
The case stems from three incidents in 2012 and 2013 when an employee’s laptop was stolen at a residence and two unencrypted thumb drives went missing, leading to the possible compromise of 35,000 health records.
The OCR launched an investigation following the three breaches and found that MD Anderson had written encryption policies dating as far back as 2006, but the cancer center’s own risk analyses found that a lack of protection could pose a high risk to patient privacy, according to The Houston Chronicle.
MD Anderson did not begin to adopt full-scale processes to implement encryption of patient health records until 2011, the government said. Even then, the center did not fully encrypt all of its devices between March 2011 and January 2013, which is when the breaches occurred.
The judge found MD Anderson’s slow implementation of security measures to be “shocking given the high risk to its patients.”
MD Anderson officials have argued that the center was not subject to encryption requirements because the electronic patient health information involved was being used for research.
A statement from MC Anderson says it plans to appeal the judgment.
“We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered,” said the statement. “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused.”
